How to secure an information security environment January 15, 2014 Lance P. Hawk CFE, CGEIT, CISA, CISM, CRISC [email protected]

  • View

  • Download

Embed Size (px)

Text of How to secure an information security environment January 15, 2014 Lance P. Hawk CFE, CGEIT, CISA,...

  • Slide 1

How to secure an information security environment January 15, 2014 Lance P. Hawk CFE, CGEIT, CISA, CISM, CRISC [email protected] Slide 2 About the speaker Lance Hawk has over 30 years of professional experience in various fields of computer security. He is owner and operator of Computer Forensics and IT Security Solutions, LLC, specializing in computer forensics, threat management and IT security solutions. Lance manages and directs an IT Security, Risk and Compliance program for a local international manufacturing company serving as an Information Security Manager and Chief Information Security Officer. He is proficient in the preservation, identification, extraction, recovery, interpretation, and documentation of computer evidence, including the rules of evidence, legal processes, integrity of evidence, and the factual reporting of the information found. Lance serves as a consultant and trainer in the areas of computer security and computer forensics to law enforcement, government, industry and academia. Previously Lance was the manager of computer forensics and global cyber investigations at Air Products and Chemicals, Inc. Served as Past President Philadelphia InfraGard (FBI and industry partnership), Past President of the Information Systems Audit and Control Association and Past President of the Association of Certified Fraud Examiners chapters Slide 3 Agenda Definitions Information Security Principles Security Enablers Information Security Policy Security Requirements and Priorities Input Key Success Factors COBIT 5 ISSC, CISO, ISM Roles ISO 27002 Implementing Controls 20 Essential Security Controls source Target Data Breach and Security Best Practices for PoS Systems Good Sources of Cyber Security Information Slide 4 Definitions FISMA - The Federal Information Security Management Act of 2002 recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cyber security and explicitly emphasized a "risk-based policy for cost- effective security. NSA No Such Agency ISSC vs. CISO vs. ISM NIST vs. COBIT vs. ISO 27002 (International Organization for Standardization successor to BS17799) Slide 5 Information Security Ensures that within your workplace, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when required (availability). Confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information. Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation (an authentication service that provides proof of the integrity and origin of data) and authenticity. Availability means ensuring timely and reliable access to and use of information. The steps to successfully securing information security at your workplace will consist of adopting and successfully implementing information security principles! Slide 6 Information Security Principles 1. Support the business 2. Defend the business 3. Promote responsible information security behavior Slide 7 Information Security Principles 1. Support the business: Focus on the business to ensure that information security is integrated into essential workplace activities. Deliver quality and value to stakeholders to ensure that information security delivers value and meets business requirements. Comply with relevant legal and regulatory requirements to ensure that statutory obligations are met, stakeholder expectations are managed, and civil or criminal penalties are avoided. Provide timely and accurate information on information security performance to support business requirements and manage information risk. Evaluate current and future information threats to analyze and assess emerging information security threats so that informed, timely action to mitigate risk can be taken. Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security. Slide 8 Information Security Principles cont. 2. Defend the business: Adopt a risk-based approach to ensure that risk is treated in a consistent and effective manner. Protect classified information to prevent disclosure to unauthorized individuals. Concentrate on critical business applications to prioritize scarce information security resources by protecting the business applications in which a security incident would have the greatest business impact. Develop systems securely to build quality, cost-effective systems on which business people can rely. 3. Promote responsible information security behavior: Act in a professional and ethical manner to ensure that information security- related activities are performed in a reliable, responsible and effective manner. Foster an information security-positive culture to provide a positive security influence on the behavior of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact. Slide 9 Security Enablers Ethics and culture relating to information security Applicable laws, regulations and policies Applicable contractual regulations Existing policies and practices Maturity level of the current information security enablers Information security capabilities and available resources Industry practices Existing and mandatory standards and frameworks regarding information security Slide 10 Policy Framework Slide 11 Information Security Policy Policy MUST be driven by a controls objectives from COBIT, ISO, etc. Policies provide more detailed guidance on how to put controls into practice and how they will influence decision making. Risk management policy (ISO) Information security policy (ISO) Acceptable use policy* Organization of information security policy (ISO) Asset management policy (ISO) Personnel information/Human Resources security policy (ISO) Physical and environmental information security policy (ISO) Communications and operation management policy (ISO) Access control policy (ISO) Information systems acquisition, software development and maintenance policy (ISO) Incident management policy (ISO) Business continuity and disaster recovery policy (ISO) Compliance policy (ISO) Vendor management policy (Human Resources) Mobile device policy (Access Control/Acceptable Use) Guest wireless policy (Access Control/Acceptable Use) Slide 12 Wearable Device Policy Google Glass/Pebble Smartwatch Just by getting Glass to "see" a malicious QR code, an attacker could force a connection to a malicious Wi-Fi or Bluetooth connection, then eavesdrop on all communications. Admittedly, the attack wouldn't trigger a countdown to global doom, but it does highlight the automated, promiscuous network-connecting habits of mobile devices, Glass included Slide 13 Are you both bald and lost? And want to run a.PPT like this? Then, I have a deal for you Slide 14 Sony Smart Wig There are three versions of the wacky Japanese invention: 1) A built-in laser pointer for.PPT presentations (by tugging the right sideburn and go back a page by pulling on the left) 2) One that guides the user to his or her destination using vibrations and an onboard GPS, and 3) Keeps track of body temperature and blood pressure Slide 15 Security Requirements and Priorities Input Business plan and strategic intentions Management style Information risk profile Risk appetite Slide 16 Key Success Factors The direction and mandate for the information security initiative, as well as visible ongoing commitment and support provided by top management The information security initiative to understand the business and IT objectives supported by all parties Effective communication and enablement of the necessary changes ensured COBIT 5 for Information Security and other supporting good practices and standards (ISO 27002)that are tailored to fit the unique context of your business Adequate funding and resource commitment Adequately skilled human resources who can implement the enablers Focus on quick wins and prioritize the most beneficial improvements that are easiest to implement Slide 17 COBIT 5 COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from information technology (IT) by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. Slide 18 Slide 19 Governance vs. Management The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes. Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed- on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to ac

Search related