© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

PRESENTATION FOR DIRECTORS' CONFERENCE

NOVEMBER 2015

© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

CORRELATION BETWEEN DIRECTOR INVOLVEMENT AND GOOD SECURITY

2

DIRECTORS INVOLVEMENT WITHOUT DIRECTORS INVOLVEMENT

MONITOR, DETECT & ESCALATE POTENTIAL SECURITY INCIDENT

PREVENT TARGETED EXTERNAL ATTACK

8.0

7.8

7.7

6.5

6.4

6.1

PREVENT BREACH BY A COMPANY INSIDER

*Scale: 1-10 High Confidence – 10 Low Confidence - 1

© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

SECURITY STANDARDS

3

INFORMATION SECURITY STANDARDS

FOLLOWPICK MEASURE

FUNCTIONS CATEGORIES SUB CATEGORIES

INFORMATIVE REFERENCES

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

NIST CSF SANS Top20• Inventory of Authorized

and Unauthorized Devices• Inventory of Authorized

and Unauthorized Software

• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

• Continuous Vulnerability Assessment and Remediation

• Controlled Use of Administrative Privileges

• Maintenance, Monitoring, and Analysis of Audit Logs

• Email and Web Browser Protections

• Malware Defenses• Limitation and Control of

Network Ports, Protocols, and Services

• Data Recovery Capability• Secure Configurations for

Network Devices such as Firewalls, Routers, and Switches

• Boundary Defense• Data Protection• Controlled Access Based

on the Need to Know• Wireless Access Control• Account Monitoring and

Control• Security Skills Assessment

and Appropriate Training to Fill Gaps

• Application Software Security

• Incident Response and Management

• Penetration Tests and Red Team Exercises

ISO 27000 MODEL

BUSINESS CONTINUITY

MANAGEMENTSYSTEM

PLAN

CHECK

DOACT

© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

PHISHING

4

© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

CAN YOU PREVENT DATA BREACH?

5

At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in the ASD

Strategies to Mitigate Targeted Cyber Intrusions:

Application whitelisting to help prevent

malicious software and unapproved programs

from running.

Patch applications such as Java, PDF viewers, Flash, web

browsers and Microsoft Office.

Patch operating system vulnerabilities.

Restrict administrative privileges to operating

systems and applications based on

user duties.

The Strategies to Mitigate Targeted Cyber Intrusions are ranked in order of overall effectiveness. Rankings are based on ASD’s analysis of reported security incidents and vulnerabilities detected by ASD in testing the security of Australian government networks.

© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

VERIFICATION

6

YOUR SECURITY IS AS GOOD AS YOU THINK. MOST OF THE TIME IT ISN’T.