1 / 28

Building the Foundation for a Secure Enterprise:

Learn about ISO27001, NIST, and CSC approaches for securing enterprises. Gain insights into critical components and benefits for effective security programs.

sbenitez
Download Presentation

Building the Foundation for a Secure Enterprise:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building the Foundation for a Secure Enterprise: The Critical Controls, ISO27001 and Other Approaches Presented by: Douglas Brush & Georg Thomas @kraftkennedy www.kraftkennedy.com/blog www.linkedin.com/company/kraft-kennedy New York | Washington DC | Texas | California

  2. 27+ Years of Experience Long Standing Commitment to Legal ILTA Platinum Sponsor/ALA Sponsor Experienced, Highly Trained & Certified Consultants Premier Technology Partner • 80 Exchange 2010/2013 Projects, 80,000+ Seats • 100 Windows 7/8.1 & Office 2010/2013 Projects, 90,000+ Seats • Data Center Migration Strategy and Implementation Projects • Disaster Recovery/Business Continuity Planning • Technology Assessments • Project Management • Legal Process Management • Security Assessments, Digital Forensics and eDiscovery

  3. Information Security & Governance Enterprise Client Systems Support Practice Group Legal Process Management Areas of Practice Infrastructure Enterprise Systems Project Management Management Consulting

  4. Partners

  5. Agenda • Securing the Enterprise • Using Frameworks • Getting Started • Critical Components

  6. Securing the enterprise • Why? • Breaches • Audits • Regulatory Compliance • Business Continuity

  7. Framework examples • ISO (International Organization for Standardization) • ISO27001 • NIST (National Institute of Standards and Technology) • SP 800-53 • CSC (Council on CyberSecurity) • Critical Security Controls

  8. ISO 27001/27002 • ISO 27001:2013 • Information Security Management System (ISMS) • ISO 27002:2013 • Code of Practice - Implementation • ISO 27003-27050

  9. ISO 27001:2013 • 14 Groups • Information Security Policies • Organization of Information Security • Human Resource Security • Asset Management • Access Control • Cryptography • Physical and Environmental Security • Operations Security • Communications Security • System Acquisition, Development & Maintenance • Supplier Relationships • Information Security Incident Management • Information Security Aspects of Business Continuity Management • Compliance

  10. NIST: SP 800-53 • Special Publication 800-53, Rev 4 • Security and Privacy Controls for Federal Information Systems and Organizations.

  11. NIST: SP 800-53 • 18 Groups – Controls are prefixed: (AC, AT, AU, CA, CM, CP, etc.) • Access Control • Awareness and Training • Audit and Accountability • Security Assessment and Authorization • Configuration Management • Contingency Planning • Identification and Authentication • Incident Response • Maintenance • Media Protection • Personnel Security • Physical and Environmental Protection • Planning • Program Management • Risk Assessment • Security Assessment and Authorization • System and Communications Protection • System and Information Integrity • System and Services Acquisition

  12. CSC Critical controls • CSC Critical Security Controls for Effective Cyber Defense • Largely technical controls • Formerly SANS Top 20 Critical Controls

  13. CSC Critical security controls for effective cyber defense • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Limitation and Control of Network Ports, Protocols, and Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, and Analysis of Audit Logs • Controlled Access Based on the Need to Know • Account Monitoring and Control • Data Protection • Incident Response and Management • Secure Network Engineering • Penetration Tests and Red Team Exercises • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Continuous Vulnerability Assessment and Remediation • Malware Defenses • Application Software Security • Wireless Access Control • Data Recovery Capability • Security Skills Assessment and Appropriate Training to Fill Gaps

  14. Benefits • Help with audits • Provide a solid foundation for an effective security program

  15. Getting certified • ISO 27001 • NIST 800-53 • CSC

  16. Overlapping controls • Many Controls Overlap • Matrix Available to Compare

  17. Getting started • Steps every firm should take • Information Security Policies • Antivirus/AntiMalware • Web and Email Filtering • Multi-Factor Authentication • Network Architecture • Intrusion Detection and Prevention • Data Protection • Network Security • Security Awareness Training

  18. Information security policies • Acceptable Use Policy • Password Policy

  19. Antivirus & antimalware • Deploy • Update • Monitor

  20. Web and email filtering • On Premise vs Cloud Based • Blocking • Monitoring

  21. Multi-factor authentication • External/Remote Access • Administrative Access • Sensitive Data Access • MFA/2FA Options

  22. Network architecture • DMZ – Demilitarized Zone • VLAN – Virtual Local Area Network • Firewalls

  23. Intrusion detection and prevention • IDS • IPS • SIEM • Continuous Monitoring and Security Operations • Firewalls

  24. Data protection • In Transit • Transport Layer Security (TLS) • Secure Socket Layers SSL (SSL) • At Rest • Hard Drive Encryption • Backup Encryption • Database Encryption

  25. Network security • Wired • 802.1x • Wireless • 802.1x • WPA2

  26. Security awareness training • Conduct Regular Security Awareness Training • Evaluate effectiveness of training

  27. Key takeaways • Implement Security Program • Security Policies • Security Architecture • Training • Align with a framework • Implement Best Practices • Self-Audit

  28. QUESTIONS • Douglas Brush • +1(212)692-5616 • brush@kraftkennedy.com • linkedin.com/in/douglasabrush • Georg Thomas • +1(212)692-5687 • thomas@kraftkennedy.com • linkedin.com/in/georgthomas • @georgathomas

More Related