Embed Size (px)
Citation preview
FS15 Title Slide (WIP)
• Shaun Gordon, CSIO, New Relic
©2008-15 New Relic, Inc. All rights reserved.
Safe Harbor
This document and the information herein (including any information that may be incorporated by reference) is provided for informational purposes only and should not be construed as an offer, commitment, promise or obligation on behalf of New Relic, Inc. (“New Relic”) to sell securities or deliver any product, material, code, functionality, or other feature. Any information provided hereby is proprietary to New Relic and may not be replicated or disclosed without New Relic’s express written permission.
Such information may contain forward-looking statements within the meaning of federal securities laws. Any statement that is not a historical fact or refers to expectations, projections, future plans, objectives, estimates, goals, or other characterizations of future events is a forward-looking statement. These forward-looking statements can often be identified as such because the context of the statement will include words such as “believes,” “anticipates,” “expects” or words of similar import.
Actual results may differ materially from those expressed in these forward-looking statements, which speak only as of the date hereof, and are subject to change at any time without notice. Existing and prospective investors, customers and other third parties transacting business with New Relic are cautioned not to place undue reliance on this forward-looking information. The achievement or success of the matters covered by such forward-looking statements are based on New Relic’s current assumptions, expectations, and beliefs and are subject to substantial risks, uncertainties, assumptions, and changes in circumstances that may cause the actual results, performance, or achievements to differ materially from those expressed or implied in any forward-looking statement. Further information on factors that could affect such forward-looking statements is included in the filings we make with the SEC from time to time. Copies of these documents may be obtained by visiting New Relic’s Investor Relations website at ir.newrelic.com or the SEC’s website at www.sec.gov.
New Relic assumes no obligation and does not intend to update these forward-looking statements, except as required by law. New Relic makes no warranties, expressed or implied, in this document or otherwise, with respect to the information provided.
Effective SaaS Security
ChecklistNot a
Not a
Shopping List
It’s about
Maturity
The TeamProcessesPolicies
ComplianceMonitoring
TransparencyMindset
Maturity is
The Team
Describe your security organization, including the title of person who leads it, the size, and the number of people 100% dedicated to it?
How do you handle security incidents? Describe your response to any recent security
event.
Questions about The Team
Processes
How is the security team involved in reviewing the software development process?
How do you ensure or validate the security of the code that is pushed to your production
systems?
How are the employees or 3rd parties authenticated?
How do you ensure employees are deprovisioned when they leave the company, and appropriately reprovisioned when they
change roles?
Questions about Processes
Policies
Do you have documented security policies? Please provide copies, if available.
Do you classify data based on sensitivity? If so, how?
What are your data sharing and retention policies and practices?
Do you allow your employees to remove customer data from the production environment? If so, under
what circumstances?
Which of your employees have access to customer data and why?
Which third-parties will have access to that data, and how do you ensure that they will protect it?
Questions about Policies
Do you have a good understanding of the regulations and/or industry standards that are largely applicable to you? Please list them, as
well as your current evaluation of your compliance status (yes, no, partially) with
each one.Are there any major security exceptions and gaps that you are aware of impacting your compliance obligations? If so, what is your
roadmap for addressing them?
Questions about Compliance
Monitoring
How do you know if there are new vulnerabilities in your network, servers,
and applications?How would you know if your network,
servers, and/or applications are breached or compromised?
How do you monitor, log, and/or audit all access to your network and/or customer
data?
Questions about Monitoring
Do you perform external assessments, and at what frequency? Please provide
latest reports, if available..
Questions about Transparency
Mindset
AwarenessComplianceand Security
Consists ofOur Company
People
We play the
LongGame
We manage our
Capital
How are information security responsibilities communicated to employees who work with
customer data? How frequently?
Questions about Mindset
Measure?How do we
UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE
CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE
Learning Matrix
UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE
CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE
No Security Program or TeamHandwaving
No Policies or ProcessesPoor Access Control
No Compliance AwarenessSecurity back-of-mind
Large Security TeamFormal Security Reviews
Audited Policies & ProcessesCompliance Evidence
Companywide Mindset
Designated not Dedicated Sec TeamUnderstanding Concerns
Ad-Hoc Policies & ProcessesAware of Compliance Requirements
Checklist Security
Dedicated Security TeamDocumented Policies &
ProcessesNo Compliance Auditing
Security MonitoringPragmatic Security
Security Maturity Matrix
UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE
CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE
OK for PUBLIC data(but even then, we probably
wouldn’t recommend)
OK for any RESTRICTED data
(e.g. CCs, SSNs)
OK for INTERNAL data(e.g. Workplace plans)
OK for CONFIDENTIAL data(e.g. customer data, PII, finance
data)
Allowable USe
UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE
CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE
No Security Program or TeamHandwaving
No Policies or ProcessesPoor Access Control
No Compliance AwarenessSecurity back-of-mind
Large Security TeamFormal Security Reviews
Audited Policies & ProcessesCompliance Evidence
Companywide Mindset
Designated not Dedicated Sec TeamUnderstanding Concerns
Ad-Hoc Policies & ProcessesAware of Compliance Requirements
Checklist Security
Dedicated Security TeamDocumented Policies &
ProcessesNo Compliance Auditing
Security MonitoringPragmatic Security
Security Maturity Matrix
FS15 Thank You Slide (WIP)
• Shaun Gordon, CSIO, New Relic
