Relevant
Download
1 / 35

Relevant Impact Building an Enterprise Security Program - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on
  • Presentation posted in: General

Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014. a few thoughts about all this security…. Most North American Enterprises and Government Agencies h ave experienced a breach…. Meet John, a successful, seasoned

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Relevant Impact Building an Enterprise Security Program

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Relevant Impact

Building an Enterprise Security Program

Tech Security ConferenceMinneapolis April 10, 2014


a few thoughts about all this security…


Most North American

Enterprises and

Government Agencies

have experienced a breach…


Meet John,

a successful, seasoned

information security

practitioner


His understanding of

regulation, best practice

and technical subjects

allows him to solve

any issue his organization

may face.


… he was asked to be CISO


Build a security program guaranteeing effective protection and compliance of the organization at all times.


“It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”

Marlene N. Allison, Worldwide Vice President of

Information Security, Johnson & Johnson


Appropriate Content Control = Web Proxy + Filtering + SIM

DDoS Prevention = Redundant links + Specialized Routers + HA Applications

Privacy Compliance = DB Controls + Email Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…


Then the inevitable…

  • Technology Changes

  • Old clients

  • New vendors


The auditor said policy violations had been “ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.


Frustration set in as he tried to go back to the drawing board…

….then the unexpected.


Hewas notified that the organization may

have an APT in the environment…


John thought about his predicament…


…and had an epiphany.


“This shouldn’t be my problem...”


…an effective security program starts

with a strategy and must be aligned to the business.


Creating an Effective Security Program Strategy

  • Impact based approach

  • Establish business context

  • Develop strategic services


Impact Based Approach

An impact approach identifies scenarios relevant to organizational assets


Negative

Outcomes

Positive

Outcomes

Risk Context

Threats

BusinessAttributes

Opportunities

Overall

likelihood

of loss

Overall

loss

value

Overall

benefit

value

Overall

likelihood

of benefit

Likelihood of

threat

materialising

Asset

value

Asset

value

Likelihood of

opportunity

materialising

Likelihood of

weakness

exploited

Negative

impact

value

Positive

impact

value

Likelihood of

strength

exploited

Loss Event

Beneficial Event


High

Business

Impact

Medium

Low

Low

Medium

High

Likelihood

Risk & opportunities are assessed with owners focusing on impact and enablement

A

C

B

A

Beyond our risk appetite

C

B

B

B

Warning

C

C

C

C

Within risk

appetite


Establishing Business Context

How do you develop a security program that focuses on what is important to the business?


Identify business relations and owners impacted by threats to information assets

Your

Organization

Customers

Suppliers

Partners

Others…


Working with the business owners abstract requirements into measurable “assets”


Establishing understood metrics created by owner’s appropriate accountability, managing to impact can be facilitated

Enterprise Level

Strategic Business Attributes Profile

Change Program Business Attributes Profile

Project

Business Attributes Profile

Operational Processes and Systems Business Attributes Profile


Developing Strategic Services

How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days?


Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required


Enterprise security architecture builds traceability and justifications for services, processes and technologies implemented.


John had been asked to build a security program guaranteeing effective protection and compliance of the enterprise at all times.


He used:

  • An impact-based approach to assess risk & opportunities with owners.

  • Enterprise Security Architecture techniques to articulate the complete business requirements and prioritize the program.

  • Enterprise Security Architecture processes to build tractability to and justify implementations of security services.


Lessons Learned

  • Threat-based approaches will not work long term

  • Impact based accountability is key

  • Enterprise Security requires an Enterprise Strategy

  • Strategy must drive services and the technologies in a traceable, justified manner


Great things to think about…

  • Does your organization have clear definition and executive ownership over business impacts?

  • Are there clear linkages from the security program metrics to business performance?

  • Does your organization have a strategic view of the services your Security Program is delivering the organization?


THANK YOU

  • Patrick M. Hayes

  • Managing Director

  • phayes@seccuris.com


ad
  • Login