Information Security in a Compliance World

1. Information Security in a Compliance World RK Dixon Tech Summit ‘12 – November 7, 2012 Presented by Evan Francen, President – FRSecure, LLC http://www.frsecure.com | 952-467-6384

2. Introduction Thank you for attending! Thank you to RK Dixon for inviting us! http://www.frsecure.com | 952-467-6384

3. Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some! http://www.frsecure.com | 952-467-6384

4. Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. http://www.frsecure.com | 952-467-6384

5. Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. http://www.frsecure.com | 952-467-6384

6. Introduction Topics • What drives information security in your organization? • What is information security? • Customer requirements • Compliance • Compliant = Secure? • Solution - Strategic Information Security • Top Five Things You Should Do (Tactically & Strategically) • Need Help? – Contact Us! http://www.frsecure.com | 952-467-6384

7. What drives information security at your organization? This is a question for you? http://www.frsecure.com | 952-467-6384

8. Maybe an explanation of information security would help… In your opinion/words, what is information security? http://www.frsecure.com | 952-467-6384

9. What is Information Security? http://www.frsecure.com | 952-467-6384

10. Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity. http://www.frsecure.com | 952-467-6384

11. Back to our question; what drives information security at your organization? Customer Requirements? Regulations? • HIPAA, GLBA, FTC, FERPA, Computer Fraud and Abuse Act, etc. Risk? Really, there is only one good answer. http://www.frsecure.com | 952-467-6384

12. Customer Requirements What’s the problem with customer requirements? • Different customers, different requirements • Customers don’t know your business like you do • Customer protection is more important than your success • Customers are probably more confused than you are Should the basis of your information security strategy be customer requirements? http://www.frsecure.com | 952-467-6384

13. What’s the problem with compliance? • You’re in business to make money, right? • Information security is not one size fits all • Regulators and examiners are not information security professionals • Compliance is confusing, yes? Should the basis of your information security strategy be compliance? http://www.frsecure.com | 952-467-6384

14. Compliant DOESN’T mean Secure! Today’s compliance landscape is confusing! Federal Regulations: • HIPAA, GLBA, FTC, FERPA, Computer Fraud and Abuse Act, etc. State Regulations: • Breach notification laws, data destruction laws, data protection laws Industry Regulations: • Payment Card Industry Data Security Standard (PCI-DSS) Customer Requirements: • Good luck! http://www.frsecure.com | 952-467-6384

15. Solution – A strategic approach to information security Principles of strategic information security: • Alignment with business objectives • It’s all about people – culture • Management involvement • Proactive vs. Reactive • Forward-looking • Formal OWN IT! http://www.frsecure.com | 952-467-6384

16. Top Five Things for You To Do #1 – Conduct a risk assessment • Where are your most significant risks? • What risk is the highest (priority)? • How will we justify our existence (expenditures)? • How do we measure what we’re doing? http://www.frsecure.com | 952-467-6384

17. Top Five Things for You To Do #2 – Documented Policies & Procedures • Policies are one tool we use to set culture. • What is management’s view? • Nobody reads policy, bummer. • People are the biggest risk. • Policies set direction and governance http://www.frsecure.com | 952-467-6384

18. Top Five Things for You To Do #3 – Patch your systems & install antivirus • Together, not one in lieu of the other • Might be a pain, but it’s worth it (trust me) • This is the song that never ends… http://www.frsecure.com | 952-467-6384

19. Top Five Things for You To Do #4 – Training & Awareness • How do users know what to do if you don’t tell them? • Remember culture? http://www.frsecure.com | 952-467-6384

20. Top Five Things for You To Do #5 – Incident Response http://www.frsecure.com | 952-467-6384

21. DON’T FORGET Sometimes information security professionals forget this fact! • Not all risks require mitigation/remediation • Information security must be strategic • Information security strategy must align with business strategy • Avoid business vs. information security scenarios • Information security controls should be as transparent as possible http://www.frsecure.com | 952-467-6384

22. Top Five Things for You To Do BONUS Govern mobile devices • Data doesn’t stay home anymore • How do you protect data on mobile devices? http://www.frsecure.com | 952-467-6384

23. How we help – Risk Assessment http://www.frsecure.com | 952-467-6384

24. How we help – Risk Management (Build & Manage) http://www.frsecure.com | 952-467-6384

25. Need Help? Contact FRSecure! Some of our services: • Information Security Assessments • Compliance Assessments (i.e. HIPAA, GLBA, etc.) • Customer Required Assessments • Internal Network Vulnerability Assessments • External Network Security Assessments • Penetration Testing • BC/DR Plans • Policy Creation Evan Francen, CISSP CISM • Outsourced Security Resources President evan@frsecure.com 952-467-6384 (direct) www.frsecure.com http://www.frsecure.com | 952-467-6384

26. Thank you! Questions? http://www.frsecure.com | 952-467-6384

Information Security in a Compliance World

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Information Security in a Compliance World

Plus De Contenu Connexe

Diaporamas pour vous (6)

Les utilisateurs ont également aimé (20)

Similaire à Information Security in a Compliance World (20)

Plus par Evan Francen (17)

Plus récents (20)