1 / 35

Relevant Impact Building an Enterprise Security Program

Relevant Impact Building an Enterprise Security Program Tech Security Conference Minneapolis April 10, 2014. a few thoughts about all this security…. Most North American Enterprises and Government Agencies h ave experienced a breach…. Meet John, a successful, seasoned

wolfe
Download Presentation

Relevant Impact Building an Enterprise Security Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Relevant Impact Building an Enterprise Security Program Tech Security Conference Minneapolis April 10, 2014

  2. a few thoughts about all this security…

  3. Most North American Enterprises and Government Agencies have experienced a breach…

  4. Meet John, a successful, seasoned information security practitioner

  5. His understanding of regulation, best practice and technical subjects allows him to solve any issue his organization may face.

  6. … he was asked to be CISO

  7. Build a security program guaranteeing effective protection and compliance of the organization at all times.

  8. “It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.” Marlene N. Allison, Worldwide Vice President of Information Security, Johnson & Johnson

  9. Appropriate Content Control = Web Proxy + Filtering + SIM DDoS Prevention = Redundant links + Specialized Routers + HA Applications Privacy Compliance = DB Controls + Email Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…

  10. Then the inevitable… • Technology Changes • Old clients • New vendors

  11. The auditor said policy violations had been “ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.

  12. Frustration set in as he tried to go back to the drawing board… ….then the unexpected.

  13. Hewas notified that the organization may have an APT in the environment…

  14. John thought about his predicament…

  15. …and had an epiphany.

  16. “This shouldn’t be my problem...”

  17. …an effective security program starts with a strategy and must be aligned to the business.

  18. Creating an Effective Security Program Strategy • Impact based approach • Establish business context • Develop strategic services

  19. Impact Based Approach An impact approach identifies scenarios relevant to organizational assets

  20. Negative Outcomes Positive Outcomes Risk Context Threats BusinessAttributes Opportunities Overall likelihood of loss Overall loss value Overall benefit value Overall likelihood of benefit Likelihood of threat materialising Asset value Asset value Likelihood of opportunity materialising Likelihood of weakness exploited Negative impact value Positive impact value Likelihood of strength exploited Loss Event Beneficial Event

  21. High Business Impact Medium Low Low Medium High Likelihood Risk & opportunities are assessed with owners focusing on impact and enablement A C B A Beyond our risk appetite C B B B Warning C C C C Within risk appetite

  22. Establishing Business Context How do you develop a security program that focuses on what is important to the business?

  23. Identify business relations and owners impacted by threats to information assets Your Organization Customers Suppliers Partners Others…

  24. Working with the business owners abstract requirements into measurable “assets”

  25. Establishing understood metrics created by owner’s appropriate accountability, managing to impact can be facilitated Enterprise Level Strategic Business Attributes Profile Change Program Business Attributes Profile Project Business Attributes Profile Operational Processes and Systems Business Attributes Profile

  26. Developing Strategic Services How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days?

  27. Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required

  28. Enterprise security architecture builds traceability and justifications for services, processes and technologies implemented.

  29. John had been asked to build a security program guaranteeing effective protection and compliance of the enterprise at all times.

  30. He used: • An impact-based approach to assess risk & opportunities with owners. • Enterprise Security Architecture techniques to articulate the complete business requirements and prioritize the program. • Enterprise Security Architecture processes to build tractability to and justify implementations of security services.

  31. Lessons Learned • Threat-based approaches will not work long term • Impact based accountability is key • Enterprise Security requires an Enterprise Strategy • Strategy must drive services and the technologies in a traceable, justified manner

  32. Great things to think about… • Does your organization have clear definition and executive ownership over business impacts? • Are there clear linkages from the security program metrics to business performance? • Does your organization have a strategic view of the services your Security Program is delivering the organization?

  33. THANK YOU • Patrick M. Hayes • Managing Director • phayes@seccuris.com

More Related