frsecure's ten security principles to live (or die) by
DESCRIPTION
Presentation delivered to attendees of RK Dixon's 2011 Tech Summit on November 8, 2011. Presenter is Evan Francen, president of FRSecure.TRANSCRIPT
Protecting your Information and your Customer’s Information
Ten principles to live (or die) by
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Before we get started:
• This is not your typical presentation.
• What you have to say is as important as what I am going to tell you.
• You are encouraged to participate!
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
I will ask you questions, if you don’t ask me some!
FRSecure and RK Dixon
• How we got to know each other
• Customers benefit from our work together
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
FRSecure
• Information security consulting company – it’s all we know how to do.
• Established in 2008 by people who have earned their stripes in the field.
• We help small to medium sized organizations solve information security challenges.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Speaker – Evan Francen, CISSP CISM CCSK
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Topics
• Some questions to get us started
• Ten principles to live (or die) by
• Information security today
• Information security predictions
• What should you be doing?
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
What is information security?
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
This is really a question for you
Fundamentally, Information Security is:The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information.
Controls:Administrative – Policies, procedures, processesPhysical – Locks, cameras, alarm systemsTechnical – Firewalls, anti-virus software, permissions
Protect:Confidentiality – Disclosure to authorized entitiesIntegrity – Accuracy and completenessAvailability – Accessible when required and authorized
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Why do we need information security?
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
What if you do nothing?
It’s likely that there will be consequences• Civil suits• Regulatory fines• Legal fees• Investigation fees• FBI investigations• Forensic investigations• Loss of consumer confidence• Loss of brand name recognition and status• Loss of customers, potentially to be driven out of business• Potential personal liabilities for company leaders• Loss of Intellectual property• Etc., etc., etc.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
When you think of information security, how do you feel?Be honest
The ten FRSecure principles that we live by.Derived from more than 15 years of information security experience with companies across the board in terms of size, industry, demographic and geographic criteria.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#1 - We don’t work well in a bubble.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#2 - Information security isn’t an IT issue.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#3 - People are the most significant risk.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#4 – “Compliant” doesn’t mean “secure”.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#5 – Businesses are in business to make money.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#6 – There’s no common sense in information security.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#7 – “Secure” is relative.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#8 – Information security doesn’t always have to be a cost-center.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#9 – Information security isn’t a one size fits all solution.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
#10 – There’s no “easy button”.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Information Security Today - Compliance
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Information Security Today - Breaches
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Information Security Today – The Cloud
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Information Security Today – Mobile
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
What does the future hold?
Do you want the good news or the bad news first?
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
What does the future hold?
The good newsThere will be real rewards for organizations that take security seriously
• Incentive-based regulations
• Lower costs in other areas of business; insurance, process efficiencies, etc.
• Competitive advantage
In general, there will be a greater awareness of information security
Real quantifiable data will be available to determine the most optimal investments
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
What does the future hold?
The bad newsWe expect more:
• Attacks targeted at small firms• Pressure from customers• Legislation & regulation• Hacktivism• State-sponsored attacks• Mobile device attacks
What Should I Be Doing?
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
What should you be doing?
•Practice “due care”
•Formalize a risk-based approach
•Make yourself defensible• Prevention
• Detection
• Correction
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
Conclusion• Take the time to understand basic information security concepts
• Stay current on world events, but don’t lose focus on your specific needs
• Choose risk as your driver; not compliance or customer requirements
• Capitalize on benefits
Call us if you have questions or need help!
Copyright NoticeMaterial contained in this document is proprietary to FRSecure LLC and is to be treated confidentially by all recipients. Acceptance of delivery of this material constitutes acknowledgment of the confidential relationship under which disclosure and delivery are made. FRSecure copyrights this material and all rights are reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system without permission in writing from FRSecure.
YOU MADE IT! - Questions?About FRSecureFRSecure LLC is a full-service information security consulting company. We are
dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for every information security dollar spent. Our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.
Want a copy of these slides? Leave a business card