Pulling it All Together

1
Pulling it All Together
Joe Filer, CISSP, PMPSr. Program Manager 13 May
2004
2
Overview

• Goal
• Guidance
• The Value of An Enterprise Approach
• Security Maturity
• 10 Low Cost Things to Do Today
• Conclusions

3
Goal
Comprehensive Enterprise Security Programs that
result in business-enabling security solutions
and minimize risk.
4
Guidance

• We cannot do EVERYTHING!
• Risk Management implies consistent solutions that
  protect based on the value of the information to
  the company.
• Why is it that the one thing we dont protect is
  exactly where we get burned?
• Emergence of Regulatory guidance is a good
  thing.
• HIPAA
• GLB
• Sarbanes Oxley
• Etc.
• Low Hanging Fruit
• Lessons Learned

5
Enterprise Security Approach

• Ensures Comprehensive Consideration
• People, Process, Technology
• Centralizes Security Responsibility
• One Belly Button
• Minimizes Duplication of Effort
• Infrastructure supports multiple efforts
• Helps to ensure consistency of solutions
• Common sheet of music
• Facilitates implementation of Risk Management
  approach
• Common approach

6
Security Maturity

• Provides a Path for Proven Success
• Does not have to be as Difficult as Previous
  Approaches
• Helps to define Where we came From
• Five Maturity Levels
• Performed Informally
• Planned and Tracked
• Well Defined
• Quantitatively Controlled
• Continuously Improving

7
10 Low/No Cost Things to Consider Today!

• Proven, Immediate Solutions to Minimize
  Organizational Information Security Risk
• Consistent with Guidance
• Reflect Solutions to Issues Experienced by Others
• Often Overlooked!
• Low Hanging Fruit
• Key Low or No Cost to Implement

8
1 Develop/Evolve Information Security Policy

• Foundation of Enterprise Approach
• Reflects Management Commitment - Essential
• Provides Support for Security Awareness
• Enables Employees to Meet Corporate Security
  Expectations
• Identifies Information Security Responsibilities
• Fosters Compliance
• Worst Case Supports potential Law Suits!!

9
2 Provide Security Awareness Training

• Based on the Information Security Policy
• Facilitate User Compliance
• Require User Understanding Sign Off
• Keep Database to ensure periodic re-training
• Periodic Review of Content Important
• Support with Awareness initiatives

10
3 Develop an Information Security Steering
Group

• Conduit for Management Communication
• Conduit for Business Function input
• Sounding board for organizations security
  initiatives
• Facilitates corporate buy-in

11
4 Identify a Go-To Security Person

• Fosters Centralized Information Security
• Representative to InfoSec Steering Group
• Facilitates Management Communication
• Enables Consistent Information Security Approach
• Establishes Information Security Accountability
• Consistent regulatory requirement

12
5 Develop/Evolve Business Continuity Plan and
Function

• Essential element of Information Security
• Provides Recovery blueprint
• Define and prioritize critical Business functions
• Consider Threat/Risk environment
• Plan to Respond
• Test the Plan!!
• Periodic Maintenance Essential!

13
6 Institutionalize a Risk Management Philosophy

• Protect only to the level of business value
• Focus on Business enabling solutions with
  adequate information security controls
• Incorporate into Systems Development Life Cycle
  process
• Facilitates Business IT information security
  requirement compliance

14
7 Develop an Incident Response Team

• Plan for anticipated events
• Identify key players
• Including Business Reps (HR, Legal, PA, etc.)
• Include in Security Awareness training
• Test to improve efficiency and effectiveness of
  Response function
• Keep the team members and contact information
  current!

15
8 Build an Information Classification
Capability

• Identify Sensitive Corporate Information
• Address Handling/Marking/Disposal issues
• Include in Security Awareness training
• Tie into Document Retention/BCP efforts

16
9 Foster Layered Approach

• Ensures Risk Managed Control
• Fosters Important Communication
• Physical
• Logical
• Administrative
• Minimizes Likelihood of Complacency
• Necessary Element of Compliance

17
10 Establish a Compliance Function

• Measure effectiveness of Controls
• Reflects the management commitment
• Effective for communication to senior leadership
• Useful for modifying controls
• Necessary element of Maturity Model
• Most often overlooked!

18
For More information on the Seminar..

• www.redclaysoftware.com

19
Joe Filer, CISSP, PMP Senior Program
Manager Information Assurance 3463 Magic Drive,
Suite 120, San Antonio, TX 78229 Voice
210.735.1903 Fax 210.979.8562 Cell
210.317.3230 jfiler_at_caci.com www.caci.com