Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014. a few thoughts about all this security…. Most North American Enterprises and Government Agencies h ave experienced a breach…. Meet John, a successful, seasoned
Building an Enterprise Security Program
Tech Security ConferenceMinneapolis April 10, 2014
a few thoughts about all this security…
Most North American
have experienced a breach…
a successful, seasoned
His understanding of
regulation, best practice
and technical subjects
allows him to solve
any issue his organization
… he was asked to be CISO
Build a security program guaranteeing effective protection and compliance of the organization at all times.
“It’s about the data. Security professionals have to start taking a data view of their organizations. It’s all around ‘Where is the data?’ and ‘Who is supposed to do what with it?’ which, in a huge corporation, is a huge challenge.”
Marlene N. Allison, Worldwide Vice President of
Information Security, Johnson & Johnson
Appropriate Content Control = Web Proxy + Filtering + SIM
DDoS Prevention = Redundant links + Specialized Routers + HA Applications
Privacy Compliance = DB Controls + Email Policies + File Inventory + DLP + SIM + Ticketing System + Enterprise Policies + Training Program…
Then the inevitable…
The auditor said policy violations had been “ENABLED” by bad technology, chosen through a flawed process that was based on poor logic.
Frustration set in as he tried to go back to the drawing board…
….then the unexpected.
Hewas notified that the organization may
have an APT in the environment…
John thought about his predicament…
…and had an epiphany.
“This shouldn’t be my problem...”
…an effective security program starts
with a strategy and must be aligned to the business.
Creating an Effective Security Program Strategy
An impact approach identifies scenarios relevant to organizational assets
Risk & opportunities are assessed with owners focusing on impact and enablement
Beyond our risk appetite
How do you develop a security program that focuses on what is important to the business?
Identify business relations and owners impacted by threats to information assets
Working with the business owners abstract requirements into measurable “assets”
Establishing understood metrics created by owner’s appropriate accountability, managing to impact can be facilitated
Strategic Business Attributes Profile
Change Program Business Attributes Profile
Business Attributes Profile
Operational Processes and Systems Business Attributes Profile
How can you map required functionality for any security service to a continually changing, improving environment until the end of your operational days?
Based on identified impacts to the attributes, a multi-tiered control strategy can be used to define security services the organization required
Enterprise security architecture builds traceability and justifications for services, processes and technologies implemented.
John had been asked to build a security program guaranteeing effective protection and compliance of the enterprise at all times.