Relevant
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

Relevant Impact Building an Enterprise Security Program PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on
  • Presentation posted in: General

Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014. a few thoughts about all this security…. Most North American Enterprises and Government Agencies h ave experienced a breach…. Meet John, a successful, seasoned

Download Presentation

Relevant Impact Building an Enterprise Security Program

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Relevant impact building an enterprise security program

Relevant Impact

Building an Enterprise Security Program

Tech Security ConferenceMinneapolis April 10, 2014


Relevant impact building an enterprise security program

a few thoughts about all this security…


Relevant impact building an enterprise security program

Most North American

Enterprises and

Government Agencies

have experienced a breach…


Relevant impact building an enterprise security program

Meet John,

a successful, seasoned

information security

practitioner


Relevant impact building an enterprise security program

His understanding of

regulation, best practice

and technical subjects

allows him to solve

any issue his organization

may face.


Relevant impact building an enterprise security program

… he was asked to be CISO


Relevant impact building an enterprise security program

Build a security program guaranteeing effective protection and compliance of the organization at all times.


Relevant impact building an enterprise security program

“It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”

Marlene N. Allison, Worldwide Vice President of

Information Security, Johnson & Johnson


Relevant impact building an enterprise security program

Appropriate Content Control = Web Proxy + Filtering + SIM

DDoS Prevention = Redundant links + Specialized Routers + HA Applications

Privacy Compliance = DB Controls + Email Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…


Relevant impact building an enterprise security program

Then the inevitable…

  • Technology Changes

  • Old clients

  • New vendors


Relevant impact building an enterprise security program

The auditor said policy violations had been “ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.


Relevant impact building an enterprise security program

Frustration set in as he tried to go back to the drawing board…

….then the unexpected.


Relevant impact building an enterprise security program

Hewas notified that the organization may

have an APT in the environment…


Relevant impact building an enterprise security program

John thought about his predicament…


Relevant impact building an enterprise security program

…and had an epiphany.


Relevant impact building an enterprise security program

“This shouldn’t be my problem...”


Relevant impact building an enterprise security program

…an effective security program starts

with a strategy and must be aligned to the business.


Relevant impact building an enterprise security program

Creating an Effective Security Program Strategy

  • Impact based approach

  • Establish business context

  • Develop strategic services


Impact based approach

Impact Based Approach

An impact approach identifies scenarios relevant to organizational assets


Relevant impact building an enterprise security program

Negative

Outcomes

Positive

Outcomes

Risk Context

Threats

BusinessAttributes

Opportunities

Overall

likelihood

of loss

Overall

loss

value

Overall

benefit

value

Overall

likelihood

of benefit

Likelihood of

threat

materialising

Asset

value

Asset

value

Likelihood of

opportunity

materialising

Likelihood of

weakness

exploited

Negative

impact

value

Positive

impact

value

Likelihood of

strength

exploited

Loss Event

Beneficial Event


Relevant impact building an enterprise security program

High

Business

Impact

Medium

Low

Low

Medium

High

Likelihood

Risk & opportunities are assessed with owners focusing on impact and enablement

A

C

B

A

Beyond our risk appetite

C

B

B

B

Warning

C

C

C

C

Within risk

appetite


Establishing business c ontext

Establishing Business Context

How do you develop a security program that focuses on what is important to the business?


Relevant impact building an enterprise security program

Identify business relations and owners impacted by threats to information assets

Your

Organization

Customers

Suppliers

Partners

Others…


Relevant impact building an enterprise security program

Working with the business owners abstract requirements into measurable “assets”


Relevant impact building an enterprise security program

Establishing understood metrics created by owner’s appropriate accountability, managing to impact can be facilitated

Enterprise Level

Strategic Business Attributes Profile

Change Program Business Attributes Profile

Project

Business Attributes Profile

Operational Processes and Systems Business Attributes Profile


Developing strategic services

Developing Strategic Services

How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days?


Relevant impact building an enterprise security program

Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required


Relevant impact building an enterprise security program

Enterprise security architecture builds traceability and justifications for services, processes and technologies implemented.


Relevant impact building an enterprise security program

John had been asked to build a security program guaranteeing effective protection and compliance of the enterprise at all times.


Relevant impact building an enterprise security program

He used:

  • An impact-based approach to assess risk & opportunities with owners.

  • Enterprise Security Architecture techniques to articulate the complete business requirements and prioritize the program.

  • Enterprise Security Architecture processes to build tractability to and justify implementations of security services.


Lessons learned

Lessons Learned

  • Threat-based approaches will not work long term

  • Impact based accountability is key

  • Enterprise Security requires an Enterprise Strategy

  • Strategy must drive services and the technologies in a traceable, justified manner


Great things to think about

Great things to think about…

  • Does your organization have clear definition and executive ownership over business impacts?

  • Are there clear linkages from the security program metrics to business performance?

  • Does your organization have a strategic view of the services your Security Program is delivering the organization?


Relevant impact building an enterprise security program

THANK YOU

  • Patrick M. Hayes

  • Managing Director

  • [email protected]


  • Login