1.
Information Security for
Leaders, From a Leader
TechPulse 2012 – April 17th, 2012
Presented by Evan Francen, President – FRSecure, LLC
http://www.frsecure.com | 952-467-6384

2.
Introduction
Before we get started:
• This is not your typical presentation.
• What you have to say is as important as what I am
going to tell you.
• You are encouraged to participate!
I will ask you questions, if you don’t ask me some!
http://www.frsecure.com | 952-467-6384

3.
Introduction
FRSecure
• Information security consulting company – it’s all
we do.
• Established in 2008 by people who have earned
their stripes in the field.
• We help small to medium sized organizations
solve information security challenges.
http://www.frsecure.com | 952-467-6384

4.
Introduction
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
http://www.frsecure.com | 952-467-6384

5.
Introduction
Topics
• What is information security?
• What do business leaders need to know?
• You’re in business to make money
• Understand risk and manage it
• How we help?
• Where should you start?
• Need Help? – Contact Us!
http://www.frsecure.com | 952-467-6384

6.
When you think of information
security, how do you feel?
Be honest
http://www.frsecure.com | 952-467-6384

7.
What is information
security?
This is really a question for you
http://www.frsecure.com | 952-467-6384

8.
What is Information Security?
http://www.frsecure.com | 952-467-6384

9.
Information Security Is Not an IT Issue
The application of Administrative, Physical and Technical controls in an effort
to protect the Confidentiality, Integrity, and Availability of Information.
IT-centric information security over-emphasizes Technical Control, often at
the expense of Administrative and Physical Control.
IT-centric information security also places an over-emphasis on Availability of
systems, sometimes at the expense of Confidentiality and Integrity.
http://www.frsecure.com | 952-467-6384

10.
It’s not compliance, but compliance is important
Today’s compliance landscape is confusing!
Federal Regulations:
• HIPAA, GLBA, FTC, ECPA, Computer Fraud and Abuse Act, etc.
State Regulations:
• Breach notification laws, data destruction laws, data protection laws
Industry Regulations:
• Payment Card Industry Data Security Standard (PCI-DSS)
Customer Regulations:
• Good luck!
http://www.frsecure.com | 952-467-6384

11.
What do business leaders need to know?
Business leaders have ultimate responsibility for
information security
Due Care (aka “duty of care”):
• Provides a framework that helps to define a minimum standard of
protection that business stakeholders must attempt to achieve.
• Often reference the Prudent Man Rule, and require that the organization
engage in business practices that a prudent, right thinking, person would
consider to be appropriate.
• Businesses that are found to have not applied this minimum duty of care
can be deemed as having been negligent in carrying out their duties
http://www.frsecure.com | 952-467-6384

12.
What do business leaders need to know?
Business leaders have ultimate responsibility for
information security
Due Diligence:
• Requires that an organization continually scrutinize their own practices to
ensure that they are always meeting or exceeding the requirements for
protection of assets and stakeholders
• Due diligence is the management of due care: it follows a formal process
• Persons are said to have exercised due diligence, and therefore cannot be
considered negligent, if they were prudent in their investigation of potential
risks and threats
http://www.frsecure.com | 952-467-6384

13.
You are in business to make money
Sometimes information security professionals forget
this fact!
• Not all risks require mitigation/remediation
• Information security must be strategic
• Information security strategy must align with business strategy
• Avoid business vs. information security scenarios
• Information security controls should be as transparent as possible
http://www.frsecure.com | 952-467-6384

14.
The Answer:
Understand Risk and Manage it.
• Risk is unique to your business and environment;
information security is not a one-size-fits-all solution
• Likelihood x Impact
• Risks change as your business environment changes
• There is no “easy button”
• You don’t need to know about every risk, but you must
know about the significant ones.
http://www.frsecure.com | 952-467-6384

15.
How we help – Risk Assessment
http://www.frsecure.com | 952-467-6384

16.
How we help – Risk Management (Build &
Manage)
http://www.frsecure.com | 952-467-6384

17.
Where should you start?
Conduct a risk assessment
• Do it right
• Comprehensive
• Quantified/Measured/Scored
• Choose a standard
(ISO, NIST, COBIT, etc.)
http://www.frsecure.com | 952-467-6384

18.
Where should you start?
Make Decisions
Once you understand your risks, You can:
decide what you want to do • Accept some risk
about them. • Mitigate some risk
• Transfer some risk
Where organizations get in trouble is in ignoring risks and/or
assuming that they don’t exist.
http://www.frsecure.com | 952-467-6384

19.
Where should you start?
Your own information security risk management
program:
• Conduct Risk Assessment
• Make Decisions
• Plan Strategically
• Update Regularly
http://www.frsecure.com | 952-467-6384

20.
Need Help? Contact FRSecure!
Some of our services:
• Information Security Assessments
• Compliance Assessments (i.e. HIPAA, GLBA, etc.)
• Customer Required Assessments
• Internal Network Vulnerability Assessments
• External Network Security Assessments
• Penetration Testing
• BC/DR Plans
• Policy Creation Evan Francen, CISSP CISM
• Outsourced Security Resources President
evan@frsecure.com
952-467-6384 (direct)
www.frsecure.com
http://www.frsecure.com | 952-467-6384

21.
Thank you!
Questions?
http://www.frsecure.com | 952-467-6384