Upload
kevin-jessop
View
146
Download
0
Embed Size (px)
Citation preview
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PRESENTATION FOR DIRECTORS' CONFERENCE
NOVEMBER 2015
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CORRELATION BETWEEN DIRECTOR INVOLVEMENT AND GOOD SECURITY
2
DIRECTORS INVOLVEMENT WITHOUT DIRECTORS INVOLVEMENT
MONITOR, DETECT & ESCALATE POTENTIAL SECURITY INCIDENT
PREVENT TARGETED EXTERNAL ATTACK
8.0
7.8
7.7
6.5
6.4
6.1
PREVENT BREACH BY A COMPANY INSIDER
*Scale: 1-10 High Confidence – 10 Low Confidence - 1
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SECURITY STANDARDS
3
INFORMATION SECURITY STANDARDS
FOLLOWPICK MEASURE
FUNCTIONS CATEGORIES SUB CATEGORIES
INFORMATIVE REFERENCES
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
NIST CSF SANS Top20• Inventory of Authorized
and Unauthorized Devices• Inventory of Authorized
and Unauthorized Software
• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Continuous Vulnerability Assessment and Remediation
• Controlled Use of Administrative Privileges
• Maintenance, Monitoring, and Analysis of Audit Logs
• Email and Web Browser Protections
• Malware Defenses• Limitation and Control of
Network Ports, Protocols, and Services
• Data Recovery Capability• Secure Configurations for
Network Devices such as Firewalls, Routers, and Switches
• Boundary Defense• Data Protection• Controlled Access Based
on the Need to Know• Wireless Access Control• Account Monitoring and
Control• Security Skills Assessment
and Appropriate Training to Fill Gaps
• Application Software Security
• Incident Response and Management
• Penetration Tests and Red Team Exercises
ISO 27000 MODEL
BUSINESS CONTINUITY
MANAGEMENTSYSTEM
PLAN
CHECK
DOACT
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PHISHING
4
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CAN YOU PREVENT DATA BREACH?
5
At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in the ASD
Strategies to Mitigate Targeted Cyber Intrusions:
Application whitelisting to help prevent
malicious software and unapproved programs
from running.
Patch applications such as Java, PDF viewers, Flash, web
browsers and Microsoft Office.
Patch operating system vulnerabilities.
Restrict administrative privileges to operating
systems and applications based on
user duties.
The Strategies to Mitigate Targeted Cyber Intrusions are ranked in order of overall effectiveness. Rankings are based on ASD’s analysis of reported security incidents and vulnerabilities detected by ASD in testing the security of Australian government networks.
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
VERIFICATION
6
YOUR SECURITY IS AS GOOD AS YOU THINK. MOST OF THE TIME IT ISN’T.