Relevant
Download
1 / 35

Relevant Impact Building an Enterprise Security Program - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Relevant Impact Building an Enterprise Security Program Tech Security Conference Minneapolis April 10, 2014. a few thoughts about all this security…. Most North American Enterprises and Government Agencies h ave experienced a breach…. Meet John, a successful, seasoned

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Relevant Impact Building an Enterprise Security Program' - wolfe


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Relevant Impact

Building an Enterprise Security Program

Tech Security Conference Minneapolis April 10, 2014



Most North American

Enterprises and

Government Agencies

have experienced a breach…


Meet John,

a successful, seasoned

information security

practitioner


His understanding of

regulation, best practice

and technical subjects

allows him to solve

any issue his organization

may face.



Build a security program guaranteeing effective protection and compliance of the organization at all times.


“It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”

Marlene N. Allison, Worldwide Vice President of

Information Security, Johnson & Johnson


Appropriate Content start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”Control = Web Proxy + Filtering + SIM

DDoS Prevention = Redundant links + Specialized Routers + HA Applications

Privacy Compliance = DB Controls + Email Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…


Then the inevitable… start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”

  • Technology Changes

  • Old clients

  • New vendors


The auditor said policy violations had been “ start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.



He board…was notified that the organization may

have an APT in the environment…





…an effective security program starts board…

with a strategy and must be aligned to the business.


Creating an Effective board… Security Program Strategy

  • Impact based approach

  • Establish business context

  • Develop strategic services


Impact based approach
Impact Based Approach board…

An impact approach identifies scenarios relevant to organizational assets


Negative board…

Outcomes

Positive

Outcomes

Risk Context

Threats

BusinessAttributes

Opportunities

Overall

likelihood

of loss

Overall

loss

value

Overall

benefit

value

Overall

likelihood

of benefit

Likelihood of

threat

materialising

Asset

value

Asset

value

Likelihood of

opportunity

materialising

Likelihood of

weakness

exploited

Negative

impact

value

Positive

impact

value

Likelihood of

strength

exploited

Loss Event

Beneficial Event


High board…

Business

Impact

Medium

Low

Low

Medium

High

Likelihood

Risk & opportunities are assessed with owners focusing on impact and enablement

A

C

B

A

Beyond our risk appetite

C

B

B

B

Warning

C

C

C

C

Within risk

appetite


Establishing business c ontext
Establishing Business board…Context

How do you develop a security program that focuses on what is important to the business?


Identify business relations and owners board…impacted by threats to information assets

Your

Organization

Customers

Suppliers

Partners

Others…


Working with the business owners abstract requirements board…into measurable “assets”


Establishing understood metrics created by owner’s board…appropriate accountability, managing to impact can be facilitated

Enterprise Level

Strategic Business Attributes Profile

Change Program Business Attributes Profile

Project

Business Attributes Profile

Operational Processes and Systems Business Attributes Profile


Developing strategic services
Developing Strategic Services board…

How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days?


Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required


Enterprise multi-tiered security architecture builds traceability and justifications for services, processes and technologies implemented.


John had been asked multi-tiered to build a security program guaranteeing effective protection and compliance of the enterprise at all times.


He used: multi-tiered

  • An impact-based approach to assess risk & opportunities with owners.

  • Enterprise Security Architecture techniques to articulate the complete business requirements and prioritize the program.

  • Enterprise Security Architecture processes to build tractability to and justify implementations of security services.


Lessons learned
Lessons Learned multi-tiered

  • Threat-based approaches will not work long term

  • Impact based accountability is key

  • Enterprise Security requires an Enterprise Strategy

  • Strategy must drive services and the technologies in a traceable, justified manner


Great things to think about
Great things to think about… multi-tiered

  • Does your organization have clear definition and executive ownership over business impacts?

  • Are there clear linkages from the security program metrics to business performance?

  • Does your organization have a strategic view of the services your Security Program is delivering the organization?


THANK YOU multi-tiered

  • Patrick M. Hayes

  • Managing Director

  • [email protected]


ad