Title:
1How To Work With A Partner In Order To Meet Your
Security Needs
Mark Nagiel Manager, Security Consulting
2Not Part Of This Presentation
- Scary Numbers!
- Doom and Gloom!
- Sales Pitch!
3Security Concept 1
Security is a process
4Security Concept 2
Robust information security programs are
- Multi-dimensional
- Comprehensive
- Policy-centric
- Holistic
5The Holistic Model
Policy Development
Countermeasure Engineering Security Awareness
Security Monitoring Incident Response
Vulnerability Assessment Policy Enhancement
6Security Concept 3
Think beyond security think risk management
7Why Do We Need Security Partners?
- Security is rarely a core IT organization
competency - IT organizations are primarily focused on
availability - New threats emerge on a daily basis
- Industry regulatory compliance
- Insurance coverage requires independent audits
- Security can be like performing brain surgery
8The Perfect Partner Relationship
9Partner Selection Framework
Business Knowledge
Industry Experience
PERFECT PARTNER
Solution Delivery Methodology
10Security Partnership Fundamentals
- A security partner should be treated as an
extension - of the organization.
- Limit use of security partners to as few as
- possible.
- Security partners should include knowledge
transfer - as part of any engagement or service.
- Partners must clearly quantify security related
ROI.
11Security Partner Selection Criteria
- Potential partner must
- - Understand the organizational business model
- - Understand how security will serve as a
business enabler - - Understand client risk tolerance
- - Understand business specific threat
- - Understand industry-specific regulations
(HIPAA, GLB) - - Provide heterogeneous solutions
- - Adhere to industry Best Practices
(ISO17799/BS7799) - - Be a trusted entity
- - Have appropriate security industry
experience. -
- Beware of product specialists!
12Legal / Financial Obligations
When Selecting - Dont Forget
- CEOs of public corporations are legally
obligated - to protect corporate data assets (due
diligence). - Bad business decisions include bad decisions
- related to information security.
- Shareholders can and will exercise their need to
- recover any loss due to negligence.
- CEOs of certain organizations are subject to
- regulatory compliance.
- Empowered and trusted employees must be
- viewed based on human factors.
-
13Client Responsibilities
- Client must share current risk management
philosophy w/ - partner
- Client must share desired levels of risk
management - Client must share BIA data if it exists
- Client must provide access to key individuals
(CEO, - CIO, HR, Risk Management, Physical Security
or as - appropriate..)
- Client must provide access to all pertinent
technical and - non-technical data/information
- Client must detail expected deliverables
- Client must detail quality of deliverables
- Client must detail engagement schedule
14Security Partner Responsibilities
- Understand overall risk management goals
- Understand risk tolerance levels
- Provide solutions that can be leveraged in the
future - Provide a heterogeneous strategy
- Consider organizational limitations
- - Technology
- - Process
- - Skills
- - Legacy Dependencies
- - Financial Constraints
-
15Partner Engagement Goals
- Security partnership must result in
- - Enhanced integrity in the business model
- - Enhanced control over client data and
information - - Enhanced incident survivability
- - Enhanced non-disclosure of business-critical
information - - Enhanced application of key security
pillars -
16Applied Technology Security
APPLICATION LEVEL
SYSTEM LEVEL
NETWORK LEVEL
17Applied Process Security
INTELLECTUAL
SOCIAL
PHYSICAL
18Engagement Considerations
SECURITY AWARENESS
VIRUS PROTECTION
ACCESS CONTROL
SECURITY AUDITING
INTRUSION DETECTION/ PREVENTION
PHYSICAL DATA PROTECTION
INSURANCECOVERAGE
ENCRYPT- ION
POLICIES And PROCEDURES
Risk Management Fundamentals
19Partner Success Map
Client Input
Partner Input
What is our acceptable level of risk?
What solutions and expertise can we offer?
Security / Partnership Roadmap
Do the proposed solution meet our risk management
and financial requirements?
Successful Partnership
Will the partnership insure the achievement of
acceptable levels of risk?
20What Happens When Things Go Wrong
21Open Shares
22Back Door Entry
E-Mail Server
23Application Security
Firewall
Nuclear Facility Network
Server Running Random Employee Drug Testing
Software
24Application Security
Firewall
Nuclear Facility Network
Server Running Random Employee Drug Testing
Software
TESTED
TESTED
TESTED
TESTED
TESTED
25Q A