SlideShare a Scribd company logo

ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek

Vladimir Jirasek
Vladimir Jirasek
Technology
1 of 15
Download to read offline
Executive Alliance, Inc. October 16, 2008 New York, New York ISE UK and Ireland Summit and Awards NOMINEE SHOWCASE PRESENTATION October 22, 2008 London, United Kingdom
by ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2 Vladimir Jirasek Information Security & Compliance manage DSG International plc Vulnerability scanning for PCI DSS compliance and risk management
ISE Northeast 2008 Executive Alliance, Inc. Today’s Discussion Points • About DSG International • PCI DSS programme and beyond compliance • Vulnerability scanning project • Lessons learned ISE UK and Ireland 2008 Executive Alliance, Inc. 3
ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4 DSG International plc • Major electrical and computing retailer in Europe with both traditional stores and Web store • We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop • No 1 in the UK • Head office in Hemel Hempsted, UK • 40,000 employees in the Group • Annual revenue over £6b • Processes large amounts of customer data
ISE Northeast 2008 Executive Alliance, Inc. PCI DSS is good but ... • Why good? The first standard that retailers take seriously • But scope is/can be limited • DSGi started work on PCI DSS in 2007 with most of the projects kicked off • Requirement 11.2 handled by this project • Limited budget • Although the scope is limited the approach was to take risk based approach ISE UK and Ireland 2008 Executive Alliance, Inc. 5
ISE Northeast 2008 Executive Alliance, Inc. Requirements • Compliant with 11.2, i.e. ASV • Whole group in the scope (regardless of the PCI DSS scope) • Minimal operational overhead • Potential to satisfy other requirements • Easy to use • Fit for distributed IT teams in the Group ISE UK and Ireland 2008 Executive Alliance, Inc. 6
ISE Northeast 2008 Executive Alliance, Inc. Goals • Develop patching and vulnerability scanning policy • Quick win - find the state of DSGi network (external then internal) • Deliver first “PASS” PCI DSS scans • Make this activity BAU for IT teams ISE UK and Ireland 2008 Executive Alliance, Inc. 7
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8 Challenges • Distributed IT teams • No standardised patching policy • Limited budget and overstretched IT resources in most countries • Missing risk assessment in IT patching • Scepticism and wary of vulnerability scanning
ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9 Project team ISE UK and Ireland 2008 Accountable and project lead: Vladimir Jirasek - DSGi Information security manager Team members: Matt Leggett - Security project manager (UK) Stelios Kavalaris - Security admin (Greece) Samy Elmalki - Network admin (France) Ana Maria Munoz Ponce - System admin (Spain) Lars-Andre Johannessen - System manager (Nordic group) Oyvind Gulikstad - Security manager (Nordic group) Paolo Asioli - Security manager (Italy) Ed Brown - Systems manager (UK, Techguys) Michael Braid - Systems admins (UK, DSGi Business)
ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10 Overcoming challenges • Responsibility for “clean” scans transferred to business units IT managers • Group wide standardised patching policy agreed • Limited budget addressed by using Software as a service model • Qualys service is easy to use and understood by IT teams. Virtually no training required • Business units in Qualys made group wide rollout easy to manage • Testing of impact of scanning to existing IT systems
ISE Northeast 2008 Executive Alliance, Inc. Risk based approach Internet Internal network Head office DMZ mainframe eBusiness VPN GW acquirer setlement Store network
ISE Northeast 2008 Executive Alliance, Inc. Risk based approach (cont) ISE UK and Ireland 2008 Executive Alliance, Inc. 14 Critical Important High Medium Low 5 24 hours 5 days 14 days 20 days 40 days 4 5 days 10 days 20 days 1 month 2 months 3 10 days 20 days 1 month 2 months 3 months 2 6 months* Next release* Next release Next release No fix 1 no fix* no fix* no fix no fix No fix
ISE Northeast 2008 Executive Alliance, Inc. Project results Patching policy agreed buy IT teams Weekly vulnerability scans carried on all external and critical internal assets - 14 internal appliances in 7 business units 80% of security issues fixed across the group within first 3 months Qualys accepted by IT teams as a “good” tool for highlighting security issues Scanning is now BAU activity 13
ISE Northeast 2008 Executive Alliance, Inc. Conclusion • Looked beyond PCI DSS and adopted risk based approach (now compliant with v 1.2) • Each IT team is a separate business unit • Responsibility for scanning and fixing transferred to IT managers ISE UK and Ireland 2008 Executive Alliance, Inc. 15
ISE Northeast 2008 Executive Alliance, Inc. Thank You! • Questions? • Contact Info: • Vladimir.jirasek@dgiplc.com or Vladimir@Jirasek.eu • +447959040187 ISE UK and Ireland 2008 Executive Alliance, Inc. 16

Recommended

Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Alert Logic - Corporate Overview
Alert Logic - Corporate OverviewAlert Logic - Corporate Overview
Alert Logic - Corporate Overview
bmiller144
 
David Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpDavid Slater G-Cloud Meet Up
David Slater G-Cloud Meet Up
WeAreEsynergy
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
Cheryl Goldberg
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 

Recommended

Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Alert Logic - Corporate Overview
Alert Logic - Corporate OverviewAlert Logic - Corporate Overview
Alert Logic - Corporate Overview
bmiller144
 
David Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpDavid Slater G-Cloud Meet Up
David Slater G-Cloud Meet Up
WeAreEsynergy
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
Cheryl Goldberg
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event
Kyos
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...
Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...
Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...
Business Cable Collaboration Group
 
Benefits of an Managed Service Provider
Benefits of an Managed Service ProviderBenefits of an Managed Service Provider
Benefits of an Managed Service Provider
The TNS Group
 
Solutions For PCI Compliance
Solutions For PCI ComplianceSolutions For PCI Compliance
Solutions For PCI Compliance
John Bedrick
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, Secure
Yokogawa1
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Derk Yntema
 
Computer Forensics – What You Don’t Know Can Cost You
Computer Forensics – What You Don’t Know Can Cost YouComputer Forensics – What You Don’t Know Can Cost You
Computer Forensics – What You Don’t Know Can Cost You
CentriqMarketing
 
MEDS
MEDSMEDS
MEDS
mielmarketing
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
Scott Gombar
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
AlgoSec
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri Tobola
Jan Fried
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
Eduardo Garcia
 
Security Risks: The Threat is Real
Security Risks: The Threat is RealSecurity Risks: The Threat is Real
Security Risks: The Threat is Real
ePlus
 
Max IT4IT webinar powerpoint
Max IT4IT webinar powerpointMax IT4IT webinar powerpoint
Max IT4IT webinar powerpoint
MAX Technical Training
 
Cisco systems architecture
Cisco systems architectureCisco systems architecture
Cisco systems architecture
Dhanesh Gandhi
 

More Related Content

What's hot

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, Secure
Yokogawa1
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Derk Yntema
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
AlgoSec
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri Tobola
Jan Fried
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
Eduardo Garcia
 

What's hot (20)

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...
Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...
Making Smart Telecom & Network Choices: 8 Reasons Business Customers Partner ...
 
Benefits of an Managed Service Provider
Benefits of an Managed Service ProviderBenefits of an Managed Service Provider
Benefits of an Managed Service Provider
 
Solutions For PCI Compliance
Solutions For PCI ComplianceSolutions For PCI Compliance
Solutions For PCI Compliance
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, Secure
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
 
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
 
Computer Forensics – What You Don’t Know Can Cost You
Computer Forensics – What You Don’t Know Can Cost YouComputer Forensics – What You Don’t Know Can Cost You
Computer Forensics – What You Don’t Know Can Cost You
 
MEDS
MEDSMEDS
MEDS
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri Tobola
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
 
Security Risks: The Threat is Real
Security Risks: The Threat is RealSecurity Risks: The Threat is Real
Security Risks: The Threat is Real
 

Similar to ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek

Real-Time Visibility into High Speed Networks
Real-Time Visibility into High Speed NetworksReal-Time Visibility into High Speed Networks
Real-Time Visibility into High Speed Networks
Savvius, Inc
 
Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...
Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...
Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...
Enterprise Management Associates
 
Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)
Moshe Kaplan
 
Systems Management 2.0: How to Gain Control of Unruly & Distributed Networks
Systems Management 2.0: How to Gain Control of Unruly & Distributed NetworksSystems Management 2.0: How to Gain Control of Unruly & Distributed Networks
Systems Management 2.0: How to Gain Control of Unruly & Distributed Networks
Kaseya
 

Similar to ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek (20)

Max IT4IT webinar powerpoint
Max IT4IT webinar powerpointMax IT4IT webinar powerpoint
Max IT4IT webinar powerpoint
 
Cisco systems architecture
Cisco systems architectureCisco systems architecture
Cisco systems architecture
 
Real-Time Visibility into High Speed Networks
Real-Time Visibility into High Speed NetworksReal-Time Visibility into High Speed Networks
Real-Time Visibility into High Speed Networks
 
Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...
Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...
Enabling Digital Transformation with Alcatel-Lucent Enterprise’s Network-as-a...
 
Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh Resume ISO27001
Adarsh Resume ISO27001
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
 
Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)Organization Wide Performance Methodology (ITIL)
Organization Wide Performance Methodology (ITIL)
 
GadellNet Company Overview
GadellNet Company OverviewGadellNet Company Overview
GadellNet Company Overview
 
Helping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threatsHelping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threats
 
easySERVICE Data Solutions Company Capabilities
easySERVICE Data Solutions Company CapabilitieseasySERVICE Data Solutions Company Capabilities
easySERVICE Data Solutions Company Capabilities
 
Revolutionising Testing with the Power of AI - Deepa Mamtani, Pillay Almira &...
Revolutionising Testing with the Power of AI - Deepa Mamtani, Pillay Almira &...Revolutionising Testing with the Power of AI - Deepa Mamtani, Pillay Almira &...
Revolutionising Testing with the Power of AI - Deepa Mamtani, Pillay Almira &...
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Anti Hack Solution
Anti Hack Solution Anti Hack Solution
Anti Hack Solution
 
It assessment case study
It assessment case studyIt assessment case study
It assessment case study
 
Bill curtis Beyond process - a challenge for SEPGs
Bill curtis Beyond process - a challenge for SEPGsBill curtis Beyond process - a challenge for SEPGs
Bill curtis Beyond process - a challenge for SEPGs
 
Cloud Computing Gets Put to the Test
Cloud Computing Gets Put to the TestCloud Computing Gets Put to the Test
Cloud Computing Gets Put to the Test
 
Who are Data Edge?
Who are Data Edge?Who are Data Edge?
Who are Data Edge?
 
Systems Management 2.0: How to Gain Control of Unruly & Distributed Networks
Systems Management 2.0: How to Gain Control of Unruly & Distributed NetworksSystems Management 2.0: How to Gain Control of Unruly & Distributed Networks
Systems Management 2.0: How to Gain Control of Unruly & Distributed Networks
 
Making AIOps-Driven Network Performance Management a Reality
Making AIOps-Driven Network Performance Management a RealityMaking AIOps-Driven Network Performance Management a Reality
Making AIOps-Driven Network Performance Management a Reality
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 

More from Vladimir Jirasek

2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

More from Vladimir Jirasek (16)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek

  • 1. Executive Alliance, Inc. October 16, 2008 New York, New York ISE UK and Ireland Summit and Awards NOMINEE SHOWCASE PRESENTATION October 22, 2008 London, United Kingdom
  • 2. by ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 2 Vladimir Jirasek Information Security & Compliance manage DSG International plc Vulnerability scanning for PCI DSS compliance and risk management
  • 3. ISE Northeast 2008 Executive Alliance, Inc. Today’s Discussion Points • About DSG International • PCI DSS programme and beyond compliance • Vulnerability scanning project • Lessons learned ISE UK and Ireland 2008 Executive Alliance, Inc. 3
  • 4. ISE Northeast 2008ISE UK and Ireland 2008 Executive Alliance, Inc. 4 DSG International plc • Major electrical and computing retailer in Europe with both traditional stores and Web store • We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop • No 1 in the UK • Head office in Hemel Hempsted, UK • 40,000 employees in the Group • Annual revenue over £6b • Processes large amounts of customer data
  • 5. ISE Northeast 2008 Executive Alliance, Inc. PCI DSS is good but ... • Why good? The first standard that retailers take seriously • But scope is/can be limited • DSGi started work on PCI DSS in 2007 with most of the projects kicked off • Requirement 11.2 handled by this project • Limited budget • Although the scope is limited the approach was to take risk based approach ISE UK and Ireland 2008 Executive Alliance, Inc. 5
  • 6. ISE Northeast 2008 Executive Alliance, Inc. Requirements • Compliant with 11.2, i.e. ASV • Whole group in the scope (regardless of the PCI DSS scope) • Minimal operational overhead • Potential to satisfy other requirements • Easy to use • Fit for distributed IT teams in the Group ISE UK and Ireland 2008 Executive Alliance, Inc. 6
  • 7. ISE Northeast 2008 Executive Alliance, Inc. Goals • Develop patching and vulnerability scanning policy • Quick win - find the state of DSGi network (external then internal) • Deliver first “PASS” PCI DSS scans • Make this activity BAU for IT teams ISE UK and Ireland 2008 Executive Alliance, Inc. 7
  • 8. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 8 Challenges • Distributed IT teams • No standardised patching policy • Limited budget and overstretched IT resources in most countries • Missing risk assessment in IT patching • Scepticism and wary of vulnerability scanning
  • 9. ISE Northeast 2008 Executive Alliance, Inc.Executive Alliance, Inc. 9 Project team ISE UK and Ireland 2008 Accountable and project lead: Vladimir Jirasek - DSGi Information security manager Team members: Matt Leggett - Security project manager (UK) Stelios Kavalaris - Security admin (Greece) Samy Elmalki - Network admin (France) Ana Maria Munoz Ponce - System admin (Spain) Lars-Andre Johannessen - System manager (Nordic group) Oyvind Gulikstad - Security manager (Nordic group) Paolo Asioli - Security manager (Italy) Ed Brown - Systems manager (UK, Techguys) Michael Braid - Systems admins (UK, DSGi Business)
  • 10. ISE Northeast 2008 Executive Alliance, Inc.ISE UK and Ireland 2008 Executive Alliance, Inc. 10 Overcoming challenges • Responsibility for “clean” scans transferred to business units IT managers • Group wide standardised patching policy agreed • Limited budget addressed by using Software as a service model • Qualys service is easy to use and understood by IT teams. Virtually no training required • Business units in Qualys made group wide rollout easy to manage • Testing of impact of scanning to existing IT systems
  • 11. ISE Northeast 2008 Executive Alliance, Inc. Risk based approach Internet Internal network Head office DMZ mainframe eBusiness VPN GW acquirer setlement Store network
  • 12. ISE Northeast 2008 Executive Alliance, Inc. Risk based approach (cont) ISE UK and Ireland 2008 Executive Alliance, Inc. 14 Critical Important High Medium Low 5 24 hours 5 days 14 days 20 days 40 days 4 5 days 10 days 20 days 1 month 2 months 3 10 days 20 days 1 month 2 months 3 months 2 6 months* Next release* Next release Next release No fix 1 no fix* no fix* no fix no fix No fix
  • 13. ISE Northeast 2008 Executive Alliance, Inc. Project results Patching policy agreed buy IT teams Weekly vulnerability scans carried on all external and critical internal assets - 14 internal appliances in 7 business units 80% of security issues fixed across the group within first 3 months Qualys accepted by IT teams as a “good” tool for highlighting security issues Scanning is now BAU activity 13
  • 14. ISE Northeast 2008 Executive Alliance, Inc. Conclusion • Looked beyond PCI DSS and adopted risk based approach (now compliant with v 1.2) • Each IT team is a separate business unit • Responsibility for scanning and fixing transferred to IT managers ISE UK and Ireland 2008 Executive Alliance, Inc. 15
  • 15. ISE Northeast 2008 Executive Alliance, Inc. Thank You! • Questions? • Contact Info: • Vladimir.jirasek@dgiplc.com or Vladimir@Jirasek.eu • +447959040187 ISE UK and Ireland 2008 Executive Alliance, Inc. 16

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n