1 / 17

DataCentric Security and your users

DataCentric Security and your users. Michelle Drolet, CEO October 20, 2011,. Discussion topics. What is “ datacentric security? ” Overview Risk management, Threat management, Compliance management Compliance

verena
Download Presentation

DataCentric Security and your users

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DataCentric Security and your users Michelle Drolet, CEO October 20, 2011,

  2. Discussion topics • What is “datacentric security?” • Overview • Risk management, Threat management, Compliance management • Compliance • Overall security plan, program, architecture, organizational security posture, awareness/training, communications • Q&A

  3. A “textbook” definition • Security – Developing, implementing and maintaining a program and plans to protect the confidentiality, integrity, and availability (and authentication or accountability) of information assets, thereby enabling the organization to carry out its mission. The information security triad: C/I/A and sometimes +A* * + A = Accountability or Authentication

  4. Some unfortunate “infosec” realities • Anyone connecting to the Internet – with any device – is under constant “cyberattack” by: • Organized cybercriminals, “hacktivists,” nation-states conducting “cyberwarfare,” • Attack toolkits with users guides are readily available to anyone – no technical background required • Malware has grown in number of variants, sophistication, targets and motivation • Conventional wisdom no longer valid, such as “only visit well-known and respected sites” • 80% of malware was served up by “legitimate” websites (Sophos) • Attack surfaces have increased dramatically with the introductions of new consumer gadgets: • iPhone/Android, iPod Touch, iPad and other tablets, rogue WAPs, unsecured WiFi, user-owned devices, lost or stolen devices, etc.

  5. Some unfortunate “infosec” realities (cont’d) • Compliance requirements continue to become more onerous – and have more enforcement “teeth” • HITECH for Business Associates, MA 201 CMR 17.00, and others • Data breaches at non-compliant organizations will result in regulatory audit, civil and even criminal penalties • Regulatory legalese is lengthy and complex; requirements are ambiguous and/or overlapping • All organizations – regardless of size – must demonstrate due diligence and make every effort to comply • Compliance AND non-compliance can “break the bank” for SMBs • Social networks, fake AV, other scams fool users into click-jacking or Trojan schemes – even home burglary and other crimes due to information over-sharing

  6. DataCentric Security • 1st Management buy in • 2nd Develop a repeatable program • 3rd Document • 4th Get Users on board • 5th Test controls and test again

  7. Towerwall’s 4E Methodology Evaluate Establish Educate Enforce People, Process, Technology

  8. Use case: DataCentric Security “the beginning” Evaluate • Data inventory and classification • Infrastructure and desktop utilization reviews • IT asset and configuration management • Compliance • Other organizational / cultural issues • What are the expected risks/benefits to implement a data security program?

  9. Use case: DataCentric Security and the Program Establish • Administrative • Policies • Physical • Technical • What controls are needed to realize the benefits and mitigate the risks for a data protection program?

  10. Use case: Users and DataCentric Security Educate • Expectations of workforce member behaviors documented in ppolicies, procedures, processes • Violation sanctions / disciplinary actions • Reporting suspicious behaviors / incidents / risks • Practicing “safe computing” habits • What knowledge and behaviors does the organization expect the workforce to understand and apply to daily work activities?

  11. Use case: DataCentric Security Enforce • What do the administrative, physical and technical controls tell us about required v. actual behaviors? • Logging and monitoring • Required disclosure reporting • Incident response and related processes • Other compliance and cultural issues • What options does the organization have for protecting data in a VM and/or cloud environment?

  12. Risk Management • Assess current risks relative to your information assets; • Compare those risks to your information security program; • Identify gaps or overlaps (under- or over-investment) in your existing information security program; • Develop and implement a plan to remediate risks, and align your security program is aligned with your current needs; • Re-assess and remediate at least annually – and anytime a substantive business model, compliance, or information asset-related change occurs.

  13. Compliance Management • Internal compliance (company-mandated policies and procedures); • External compliance (regulatory mandates); • Internal IP / trade secret classification and labeling (optional); • Regular assessments, remediation, scanning, audit reporting, etc.

  14. Putting it all together • Management buy in • Determine what needs to be protected • Poke holes • Establish a security roadmap • Remediate • User Awareness • Continued vigilance = Success

  15. Quote of the day "People are the weakest link. You can have the best technology, firewalls, intrusion detection systems, biometric devices - and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything." - Kevin Mitnick, author “The Art of Deception” and other Social Engineering classics

  16. Q&A Comments? Questions?

  17. Putting it all together • Towerwall and its strategic partners offer consulting services and products that simplify unwieldy issues: • Vulnerability scans and sophisticated penetration tests (include social engineering/spear phishing components) • Regulations are boiled down to digestible lists of requirements • Gap analyses provide recommendations and relative risk priorities • Towerwall’s applies its 4E methodology to every engagement • Please visit our new web site at www.towerwall.com for more information on the products/services we offer

More Related