Post on 06-Apr-2017
MOBILE FIRST, SECURITY FIRST!
C H I R A G S H A HD I R E C T O R O F I N F O R M AT I O N S E C U R I T YM O B I L E I R O N
At MobileIron, we are focused on bui lding innovative solutions that enable organizations to embrace Mobile and Cloud solutions to dr ive business efficiency and growth.
CHALLENGES
• Addressing growing/changing regulatory requirements across different regions and line of products (FedRamp/SOC2/SOX/ISO 27K)
• Growing quantity of data/information, and where that data is stored will continue to pose unique privacy/security challenges
• Breaking silos and shifting company culture
• Coordinating security across departments and functionsPEOPLE
PROCESS
TECHNOLOGY
ACCOMPLISHMENTS• Tripwire File Integrity Monitoring (FIM) tool to monitor files changes in our
production environment and meet regulatory compliance requirements.
• Tripwire FIM has the unique, built-in capability to reduce noise by providing multiple ways of determining low-risk change from high-risk change.
• Gave us ability to respond and remove potential human error by integrating with change processes and ticketing systems.
• Flexible support and deployment helped us move quickly in production deployment stage.
• Dashboard and reporting helped us get through audit quickly, and provided appropriate set of compliance reports.
WHY FILE INTEGRITY MONITORING?• Know integrity of cr itical files and
infrastructure immediately
• Provide appropriate reports to auditors; meet regulatory compliance requirements
• Keep our environment secure and convey the “Mobile F irst! Security F irst!” message
APPENDIX
SECURITY FRAMEWORK
1 2 3 4 5
TOP 20 CRITICAL SECURITY CONTROLS
Set Security Goals
Identify assets, systems, networks & functions
Assess Risks (Vulnerabilities, Threats
and security gaps)
Prioritize
Implement Protective Programs
Measure EffectivenessPh
ysic
alCy
ber
Hum
an
THE GOLDEN RULESBUILDING AN EFFECTIVE ENTERPRISE INFORMATION SECURITY PROGRAM
1. D e ve l o p a n e nte r p r i se - w i d e i n fo r m ati o n s e c u r i t y st rate g y an d ga me p la n
2. G e t co r p o rate “ b u y i n ” fo r t he e nte r p r i s e i n fo r m ati o n s e c u r i t y p ro g ra m— effe c ti ve p rog ra ms sta r t at t h e top
3. B u i l d i n fo r m ati on s e c u r i t y i nto t he i n f ra st r u c t u r e o f t h e e nte r pr i s e
4. E sta b l i s h l eve l o f “d u e d i l i g e n ce ” 5. Fo c u s i n i ti a l l y o n m i s s i on /b u s i n e ss ca s e i m p a c t s —b r i n g in
t h re at i n for mati o n o n l y w h e n s p e c i fi c a n d c re d i b l e
THE GOLDEN RULESBUILDING AN EFFECTIVE ENTERPRISE INFORMATION SECURITY PROGRAM
6. C re ate a b a l a n ce d i n fo r m ati o n s e c u r i t y p ro g ra m w i t h m a n a ge m e nt , o p e rati o n a l a n d te c h n i ca l s e c u r i t y co nt ro l s
7. E m p l o y a s o l i d fo u n d a ti o n o f s e c u r i t y co nt r o l s fi rst , t h e n b u i l d o n t h at fo u n d ati o n g u i d e d by a n a s s e s s m e nt o f r i s k
8. Avo i d co m p l i cate d a n d ex p e n s i ve r i s k a s s e s s m e nt s t h at re l y o n fl awe d a s s u m pti o n s o r u nve r i fi a b l e d ata
9. H a r d e n t h e ta rget ; p l a c e m u l ti p l e b a r r i e rs b et we e n t h e a d ve rs a r y a n d e nte r p r i s e i n fo r m ati o n syste m s
10. B e a go o d co n s u m e r — b e wa re o f ve n d o rs t r y i n g to s e l l “s i n g l e p o i nt s o l u ti o n s ” fo r e nte r p r i s e s e c u r i t y p ro b l e m s
THE GOLDEN RULESBUILDING AN EFFECTIVE ENTERPRISE INFORMATION SECURITY PROGRAM
11. Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes
12. Don’t tolerate indifference to enterprise information security problems
AND FINALLY…
13. Manage enterprise risk—don’t try to avoid it!