1 / 17

Squashing Politics with Policy

Squashing Politics with Policy. Agenda. 1. Challenges. 2. Foundation for acceptable security. 3. Why it helps. 4. Questions / Discussion. Why do we need security controls?. Protect company and client sensitive information Protect company image Save the company money

eris
Download Presentation

Squashing Politics with Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Squashing Politics with Policy

  2. Agenda 1 Challenges 2 Foundation for acceptable security 3 Why it helps 4 Questions / Discussion [Restricted] ONLY for designated groups and individuals

  3. Why do we need security controls? • Protect company and client sensitive information • Protect company image • Save the company money • Protect critical applications that make your company money • Protect critical applications that provide services to the public

  4. Agenda 1 Challenges 2 Foundation for acceptable security 3 Why it helps 4 Questions / Discussion

  5. Challenges with implementing security • Users don’t like change • Users don’t like the idea of freedoms being taken away • Users can feel accused if they are told they are doing something insecure • Security controls can break applications or functions in your IT infrastructure • Security requirements can slow down projects

  6. Agenda 1 Challenges 2 Foundation for acceptable security 3 Why it helps 4 Questions / Discussion

  7. Foundation for acceptable security Develop your Security Policy Develop an Approval Process for Policy Exceptions Develop Implementation and Test Plans Develop Standard Operating Procedures Develop Procedure for Post Mortem and Root Cause Analysis

  8. Foundation for acceptable security • SHOULD BE THE FOUNDATION OF SECURITY IN YOUR ORGANIZATION • Get this vetted by appropriate parties to be distributed and signed by everyone in your organization • HR (Especially for web content filtering!!) • Management • CIO, CISO, CTO, Director, etc. • Policy violations must have consequences Develop your security policy

  9. From Scratch?!?!...I don’t have time! • Plenty of free resources  sans.org/security-resources/

  10. Foundation for acceptable security Develop an approval process for policy exceptions • When exceptions must be made to the policy • Communicate the risk • Keep a record of someone ELSE accepting the risk. • Someone in your direct chain of reports or someone designated to accept risk (like a compliance dept.) • Document the exception

  11. Foundation for acceptable security • Things that you do on a daily basis for Due Diligence • These practices are usually more specific to your group within the company • SOPs will change as security threat landscape evolves • Get this vetted and signed by your manager Develop Standard Operating Procedures

  12. Foundation for acceptable security • A thorough test plan will increase the probability of a successful deployment thus increasing user acceptance • Require testing of critical business applications or functions • By business units responsible for such applications • Always include a rollback plan and time to execute the rollback plan Develop implementation and test plans

  13. Foundation for acceptable security • Doing this will: • Keep relevant facts of significant outages (Audit, Manager’s report, etc.) • Avoid misdiagnosis and discourage those from doing it in the future Develop Procedure for Post Mortem and Root Cause Analysis

  14. Agenda 1 Challenges 2 Foundation for acceptable security 3 Why it helps 4 Questions / Discussion

  15. Why it helps • Increase user acceptance of security • Minimize impact of implementing controls • Increase user security awareness • Increase confidence in security controls • Will breed a professional and happy work environment with more unity among teams

  16. Agenda 1 Challenges 2 Foundation for acceptable security 3 Why it helps 4 Questions / Discussion

  17. Questions?

More Related