1 / 11

Measuring Monitoring the Effectiveness of Information Security Management Chris Farrow CISSP, CISM, GCIH, GSEC Director

IntroductionAligning Audits with Information SecurityUnderstanding the IT Process, People

kristopher
Download Presentation

Measuring Monitoring the Effectiveness of Information Security Management Chris Farrow CISSP, CISM, GCIH, GSEC Director

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Measuring & Monitoring the Effectiveness of Information Security Management Chris Farrow CISSP, CISM, GCIH, GSEC Director, Center for Policy & Compliance Configuresoft chris.farrow@configuresoft.com

    2. Introduction Aligning Audits with Information Security Understanding the IT Process, People & Technology Focus on Core Metrics Case Studies Conclusions Agenda

    3. Aligning Audits with Information Security How often do you audit today? Why? On intervals: monthly, quarterly, annually, etc How much of the environment do you audit? Why? Random samples Pre-Identified apps, systems, etc Are you leveraging organizational technology? With the right strategy & technology, consider Continuous State of Audit Enterprise Wide Assurance

    4. Understanding the IT process, people & technology

    5. Shift & Drift= Challenge of Change

    6. Understanding the IT process, people & technology What process is your Infosec team using? Are they standards based? ITIL, ISO, CIS,??? How do you know? Understanding how InfoSec works, including their challenges, is key to effective monitoring & measurement

    7. Focus on Core Metrics Information Security should follow a methodology Discover Analyze Report Plan Remediation Verification Begin by checking for awareness, consistency, & effectiveness

    8. Case Studies – Higher Education Who: Two separate Universities in the mid-Atlantic and the West Targets: PCI DSS, Internal security policies Challenge: Large & dynamic undergrad population, distance learning students, 100s of vendors on campus infrastructure

    9. Case Studies – Higher Ed + Healthcare Who: Leading Teaching Hospital Targets: HIPAA, Internal security policies Challenge: medical school students & staff, employees, and volunteers all interacting with PHI, disparate IT systems

    10. Case Studies - Government Who: Local, State & Federal government Target: PCI DSS, Internal security policy, FISMA Challenges: Local utilities allow online bill pay State DMV now accepts credit cards Federal Reserve audited 6+ times per year

    11. Conclusions InfoSec is challenging, auditing them is harder Enterprise visibility & continuous state of audit pay dividends Understanding of IT process, people & their tech is essential Focus on core metrics

    12. Questions & Follow up Chris Farrow CISSP, CISM, GCIH, GSEC Director, Center for Policy & Compliance Configuresoft chris.farrow@configuresoft.com To Request Further Information info@configuresoft.com

More Related