SlideShare une entreprise Scribd logo

Proactive information security michael

Priyanka Aash
Priyanka Aash

Proactive information security by Michael Calderin - Security Officer, Bupa Global Latin America

Technologie
1  sur  16
Proactive Information Security Asking the Right Questions Michael Calderin, CISSP-ISSMP, CCISO, CEH michael@calder.in http://calder.in
Are you a roadblock to progress?  Information security must evolve from just an IT project to the core of critical business decisions.  As an Information Security Leader:  You must protect enterprise data from compromise  AND drive innovation at the same time Gartner, Inc. (2014). Information Security. Retrieved from Gartner: http://www.gartner.com/technology/topics/information-security.jsp
Are you supporting your organization’s outcomes or inhibiting them? What do your peers think?
How do other executives see our jobs?  To the average senior executive, security seems easy – lock the doors and post a guard.  “Use all of that money that has been allocated to IT and come up with the entirely safe computer.”  “Stop talking about risks and vulnerabilities and solve the problem.”  Information security is complex and simple solutions are often the best for non-practitioners. Sherizen, S. (2000). The Business Case for Information Security: Selling Management on the Protection of Vital Secrets and Products. Retrieved from IT Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf
 Compliance enforcer and advisor  As our IT environment grows, so do the legalities to be considered to comply with laws and regulations.  We assist management in making sure that the organization is in compliance with the law. What can we offer? Sherizen, S. (2000). The Business Case for Information Security: Selling Management on the Protection of Vital Secrets and Products. Retrieved from IT Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf  Business enabler and company differentiator  The internet has changed how organizations offer goods and services. Information security must provide a value- added way of providing ease of interaction as well as security and privacy of customer activities.  We provide security to differentiate our organization by including security for free alongside the goods and services offered by our organization. This can boost customer satisfaction and encourage further use of online activities.  Total quality management contributor  Quality is directly related to information security. CIA allows an organization to offer customer service that is protected, personal, and convenient.  We combine proper controls over processes, machines, and personnel, balancing our organization’s needs for production and protection. Our information security programs boost online transactions by helping customers see them as safe and reliable.  “Peopleware” controller  Information security helps control the unauthorized behavior of people through need-to-know and segregation-of-duties policies.  We translate managerial decisions into information security policies, programs, and practices. We structure authorized usage and detect unauthorized usage.
How can we quickly and strategically become more proactive? The answer is not a technology, product, or vendor
Integrate security into processes Create a culture of security Address issues before they become threats Proactive Process P R E V E N T I O N D E T E C T I O N & R E M E D I A T I O N
My Situation  Mid-sized business unit  Less than 1000 people  Multiple countries with varied regulatory requirements  Relatively consolidated IT team  Enormous change throughout our organization  Security had a reputation for being disruptive and a bottleneck  New staff carry over their expectations from prior roles  Proactive security is a recent way of thought
The Tool: A Questionnaire  Organizations may conduct an information security review before changing their systems  Often informal and poorly documented  Reviews are rarely built into a change process  Still appropriate for today's business and regulatory environment?  Develop a standard questionnaire to be completed as part of the change process  Complete the questionnaire as early in the process as possible  Responsibility for the change  Technical security impacts  Physical security considerations  Logical security requirements  Disaster recovery and business continuity Overly, M. R., Howell, C. T., & Scarano, R. M. (2012, February 1). A Proactive Approach to Information Security in Health Information Technology Procurements. (Foley & Lardner LLP) Retrieved from Association of Corporate Counsel: http://www.acc.com/legalresources/quickcounsel/apatisihit.cfm Questionnaire Availability Integrity Confidentiality
Privacy & Security Impact Assessment  Decision-making tool used to identify and mitigate risks associated with new or changing systems  Helps us understand how sensitive data is to be collected, used, shared, accessed, and stored  Required  Before sending business requirements for development  Before operationalizing new systems  As part of the change process  Completed by those who best understand the change  Reviewed by those who best understand privacy & security implications  Approved PSIAs available for review within the organization United States Department of Homeland Security. (2014, January 30). Privacy Compliance. Retrieved from Homeland Security: http://www.dhs.gov/privacy- compliance
I didn’t invent this.  Recommended by leading information security organizations  ISACA  SANS  United Kingdom  National Health Service  United States  Securities and Exchange Commission  United States Department of Defense  United States Department of Health and Human Services
My Approach Easy to understand Completed in minutes Addresses confidentiality, integrity, and availability Captures only basic info Qualitative assessment; not a quantitative risk analysis Advantages Disadvantages Requires short training and expert review
1 Page, 2 Sections, 10 Questions 1. How sensitive is the information (how is it classified)? 2. What Personally Identifiable Information is used? 3. Which types of Protected Health Information are used? 4. Which critical systems are affected? 5. How will the information be used (a summary of the requirements)? 6. Are any third parties involved? If so, which ones? 7. If database changes are needed, what kinds? 8. Where is the production equipment physically located? 9. What is the business continuity impact? 10. What access rights will be needed and for whom?
Review  Weekly review w/ interested parties  If we have questions, we reach out to the person who completed the PSIA and/or the project sponsor  Formal signoff on approval  Otherwise, new requirements or controls communicated
Results  Integrate security into processes  Security is now considered when business requirements are documented  Build a culture of security  Over time, security requirements are thought of by other staff throughout the organization  Address issues before they become threats  Reviewing and discussing issues before work begins helps to control costs, deliver on time, and position security as a friend to the organization  Provide assurance to your executive team  Addressing issues before they become threats allows us to focus on reacting to external threats
Questions?  michael@calder.in http://calder.in

Recommandé

Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
Aladdin Dandis
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
Aladdin Dandis
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
centralohioissa
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 

Recommandé

Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
Aladdin Dandis
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
Aladdin Dandis
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
centralohioissa
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Project
novemberchild
 
Cybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerCybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyer
John Anderson
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
NextLabs, Inc.
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
The state of data privacy with dimensional research
The state of data privacy with dimensional research The state of data privacy with dimensional research
The state of data privacy with dimensional research
Druva
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
Apoorva Ajmani
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare Cybersecurity
Doug Copley
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Trends in Information Security
Trends in Information SecurityTrends in Information Security
Trends in Information Security
CompTIA
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Active Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of MindActive Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of Mind
The Lorenzi Group
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
Comtech TCS
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
Laura Vanassche
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
asundaram1
 

Contenu connexe

Tendances

Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Project
novemberchild
 
Cybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerCybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyer
John Anderson
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
Apoorva Ajmani
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare Cybersecurity
Doug Copley
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 

Tendances (20)

Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Project
 
Cybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerCybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyer
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
The state of data privacy with dimensional research
The state of data privacy with dimensional research The state of data privacy with dimensional research
The state of data privacy with dimensional research
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare Cybersecurity
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Trends in Information Security
Trends in Information SecurityTrends in Information Security
Trends in Information Security
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Active Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of MindActive Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of Mind
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 

Similaire à Proactive information security michael

Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2
marchharvey
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
vickeryr87
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
wacasr
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guide
NA Putra
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 

Similaire à Proactive information security michael (20)

Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guide
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 

Plus de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Dernier (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Proactive information security michael

  • 1. Proactive Information Security Asking the Right Questions Michael Calderin, CISSP-ISSMP, CCISO, CEH michael@calder.in http://calder.in
  • 2. Are you a roadblock to progress?  Information security must evolve from just an IT project to the core of critical business decisions.  As an Information Security Leader:  You must protect enterprise data from compromise  AND drive innovation at the same time Gartner, Inc. (2014). Information Security. Retrieved from Gartner: http://www.gartner.com/technology/topics/information-security.jsp
  • 3. Are you supporting your organization’s outcomes or inhibiting them? What do your peers think?
  • 4. How do other executives see our jobs?  To the average senior executive, security seems easy – lock the doors and post a guard.  “Use all of that money that has been allocated to IT and come up with the entirely safe computer.”  “Stop talking about risks and vulnerabilities and solve the problem.”  Information security is complex and simple solutions are often the best for non-practitioners. Sherizen, S. (2000). The Business Case for Information Security: Selling Management on the Protection of Vital Secrets and Products. Retrieved from IT Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf
  • 5.  Compliance enforcer and advisor  As our IT environment grows, so do the legalities to be considered to comply with laws and regulations.  We assist management in making sure that the organization is in compliance with the law. What can we offer? Sherizen, S. (2000). The Business Case for Information Security: Selling Management on the Protection of Vital Secrets and Products. Retrieved from IT Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf  Business enabler and company differentiator  The internet has changed how organizations offer goods and services. Information security must provide a value- added way of providing ease of interaction as well as security and privacy of customer activities.  We provide security to differentiate our organization by including security for free alongside the goods and services offered by our organization. This can boost customer satisfaction and encourage further use of online activities.  Total quality management contributor  Quality is directly related to information security. CIA allows an organization to offer customer service that is protected, personal, and convenient.  We combine proper controls over processes, machines, and personnel, balancing our organization’s needs for production and protection. Our information security programs boost online transactions by helping customers see them as safe and reliable.  “Peopleware” controller  Information security helps control the unauthorized behavior of people through need-to-know and segregation-of-duties policies.  We translate managerial decisions into information security policies, programs, and practices. We structure authorized usage and detect unauthorized usage.
  • 6. How can we quickly and strategically become more proactive? The answer is not a technology, product, or vendor
  • 7. Integrate security into processes Create a culture of security Address issues before they become threats Proactive Process P R E V E N T I O N D E T E C T I O N & R E M E D I A T I O N
  • 8. My Situation  Mid-sized business unit  Less than 1000 people  Multiple countries with varied regulatory requirements  Relatively consolidated IT team  Enormous change throughout our organization  Security had a reputation for being disruptive and a bottleneck  New staff carry over their expectations from prior roles  Proactive security is a recent way of thought
  • 9. The Tool: A Questionnaire  Organizations may conduct an information security review before changing their systems  Often informal and poorly documented  Reviews are rarely built into a change process  Still appropriate for today's business and regulatory environment?  Develop a standard questionnaire to be completed as part of the change process  Complete the questionnaire as early in the process as possible  Responsibility for the change  Technical security impacts  Physical security considerations  Logical security requirements  Disaster recovery and business continuity Overly, M. R., Howell, C. T., & Scarano, R. M. (2012, February 1). A Proactive Approach to Information Security in Health Information Technology Procurements. (Foley & Lardner LLP) Retrieved from Association of Corporate Counsel: http://www.acc.com/legalresources/quickcounsel/apatisihit.cfm Questionnaire Availability Integrity Confidentiality
  • 10. Privacy & Security Impact Assessment  Decision-making tool used to identify and mitigate risks associated with new or changing systems  Helps us understand how sensitive data is to be collected, used, shared, accessed, and stored  Required  Before sending business requirements for development  Before operationalizing new systems  As part of the change process  Completed by those who best understand the change  Reviewed by those who best understand privacy & security implications  Approved PSIAs available for review within the organization United States Department of Homeland Security. (2014, January 30). Privacy Compliance. Retrieved from Homeland Security: http://www.dhs.gov/privacy- compliance
  • 11. I didn’t invent this.  Recommended by leading information security organizations  ISACA  SANS  United Kingdom  National Health Service  United States  Securities and Exchange Commission  United States Department of Defense  United States Department of Health and Human Services
  • 12. My Approach Easy to understand Completed in minutes Addresses confidentiality, integrity, and availability Captures only basic info Qualitative assessment; not a quantitative risk analysis Advantages Disadvantages Requires short training and expert review
  • 13. 1 Page, 2 Sections, 10 Questions 1. How sensitive is the information (how is it classified)? 2. What Personally Identifiable Information is used? 3. Which types of Protected Health Information are used? 4. Which critical systems are affected? 5. How will the information be used (a summary of the requirements)? 6. Are any third parties involved? If so, which ones? 7. If database changes are needed, what kinds? 8. Where is the production equipment physically located? 9. What is the business continuity impact? 10. What access rights will be needed and for whom?
  • 14. Review  Weekly review w/ interested parties  If we have questions, we reach out to the person who completed the PSIA and/or the project sponsor  Formal signoff on approval  Otherwise, new requirements or controls communicated
  • 15. Results  Integrate security into processes  Security is now considered when business requirements are documented  Build a culture of security  Over time, security requirements are thought of by other staff throughout the organization  Address issues before they become threats  Reviewing and discussing issues before work begins helps to control costs, deliver on time, and position security as a friend to the organization  Provide assurance to your executive team  Addressing issues before they become threats allows us to focus on reacting to external threats