Information Security for Business Leaders Presentation

8/6/2019 Information Security for Business Leaders Presentation

http://slidepdf.com/reader/full/information-security-for-business-leaders-presentation 1/27

© 2011 JurInnov, Ltd. All Rights Reserved




JurInnov helps organizations…

Apply technology to optimize electronicdiscovery

Collect and uncover evidence

Better protect, manage and track

electronic information

…and relax a little

Who Are We?




Respond to a breach

Computer Forensics

Prevent the breach

Information Security

Who Wants a Crisis Anyway?




Threats to our businesses

Approach to Information Security

Business integration Creating the culture

Making it happen

Trade-offs

Take-Aways

Today’s Discussion




April 2011 – Sony Corp. data breach, 100 million

PlayStation network accounts

Wall Street Journal, May 18, 2011 – “Sony Corp

Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame

network or any other Web system in the "bad new

world" of cybercrime.”

“… maintaining security is a „never -ending process‟and he doesn't know if anyone is 100%.”

In the News




Third Parties

April 4, 2011 – Over 2500 companies who

used Epsilon‟s marketing services had to

inform customers that their data system was

exposed to unauthorized entry.

In the News




Average breach costs $214 per record

Average organizational cost $7.2 million per incident

The Ponemon Institute Study, March 18, 2011

Risk and compliance budgets expected toincrease by 21% in 2011

McAfee 2011 Risk and Compliance Report

Facts and Figures




$548 million

The US governmentis increasing cyber

security R&D by 35%

to $548 million nextyear

More organizedoutside attacks

More pervasive

inside misuse

Facts and Figures

Fierce CIO, January 16, 2011

Computerworld, February 15, 2011




Information

Security

Confidentiality

Integrity

Availability

The Security Triad




Threats

Impacts




• Priorities• Roles and

responsibilities• Targeted capabilities• Specific goals

(timeframe)

InfoSec

Strategy

Business

Strategy

• Core values• Purpose• Capabilities• Client promise• Business targets• Specific goals• Initiatives• Action items• Assignments and

accountabilities

Business Integration




Monitoring, measuring and reporting

Integrating with business metrics

Weekly management meetings Monthly dashboard review with

employees

Quarterly goals met

Team rewards

Creating the Culture




Incenting the behavior

Assignments and accountabilities

Personal contribution reports Performance reviews

Daily interactions with team members

New system and process deployment

Creating the Culture




Ask where are we today?

High level survey – taking the pulse

Assessment Define and communicate expectations

Company policies

Employee training

Third party contract requirements

(what about the Cloud?)

Making it Happen




Implement changes

Workflow (make it easy)

Technology Physical

Ask how are we doing?

Checkpoints

Audits

Making it Happen




Productive

Responsive

Agile Cost-effective

Reasonable to use (vs. annoying)

Trade-offs




• Client data

• Trade secrets

• Product details

• Competitive advantages

• Employee information

• Websites

• Blogs

• Social networking

• Employee “break time”

• Twitter

• Facebook

• LinkedIn

Trade-offs




Impact(Probability * Loss)

Cost to Secure

ACCEPT

MITIGATE

TRANSFER AVOID

DEPENDS

Trade-offs




Integrate with business strategic planning

Confirm workflows make good practiceseasy

Know the impact of new systems/processes

Know the impact of system/process

maintenance Confirm mobile computing addresses risks

Take-Aways: Build in Security




Demonstrate that security is critical

Challenge assumptions of security

Ask about the risks Monitor, measure, report

Hold everyone accountable

Reward behaviors

Take-Aways: Create the Culture




Take a quick pulse

Maintain up to date security policies

Keep security “top of mind” Debrief projects including security focus

Maintain good asset management

Plan Do Check Act

Take-Aways: Make it Happen




Access

Server audit logs are turned on andretained

Firewall firmware is up to date

Mobile devices are properly encrypted

Take-Aways: Some Specifics




Business continuity

Key systems have uninterruptable powersupplies

Backups tested regularly

Disaster recovery plans in place

Business continuity testing for key systems

System maintenance as scheduled





Application security

Security patches up to date

No unauthorized programs installed Corporate applications have up to date

security reviews

Antivirus software installed

Virus definitions up to date





Security governance

Configuration changes approved prior toimplementation

Incidents handled by incident responseplans

Media sanitized before being reused ordisposed

Systems have documented securitycontrols





Security awareness

Password procedures

Data storage procedures Mobile computing

Software security practices

Email security practices


Information Security for Business Leaders Presentation

Documents

Transcript of Information Security for Business Leaders Presentation