IT Simplifier Webinar:How to improve security through your

associates(Part 1 of 3)

About Bross Group

• Client has control over the project• Bross Group provides qualified

candidates but is not responsible for project outcome

• Designed to alleviate resource constraints and/or provide temporary staffing solutions

• Bross Group provides risk management, communications, project management and/or change management

• Bross is responsible for project outcomes

• Based upon clearly defined requirements and SOWs

• Contingent fee services• Bross Group locates and presents

qualified candidates• Client vets candidate(s) and directly

presents offers• Client pays a placement fee to Bross for

successful placements

Bross Group assumes full responsibility for any combination of the following:

• People• Business Process• Operations• Service Level Agreements define

expectations and contractual obligations

IT Simplifier Webinar:How to improve your security through

associates(Part 1 of 3)

Presented by: Cindy Gibson

March 4, 2014

Your Speaker Today is Cindy Gibson

Cindy combines a business-minded approach with strong technical acumen, Cindy is a certified Project Management Professional (PMP), Certified Agile Scrum Master (CSM), Certified Six-Sigma Green Belt, Certified Information Systems Security Professional (CISSP), and offers knowledge in COBIT processes, ITIL foundations and SDLC.

Bross Group Security Program Director

AgendaHow to improve security though your associates

Next Steps and Where to Go From Here

How to Improve Security Through Your Associates: By Providing Security Policies Every One Can Follow

Top 3 Risks Caused by Associates and Why

20 Critical Security Controls Every Company Should Have

Is Your Organization Ready for a Cyber Security Breach?

• Let’s face it, businesses just like yours face a multitude of security threats every single day. Many you can fend off, many you can’t.

• In Target’s case, it is estimated they will face $1–3.6 BILLON in fines!

20 Critical Security Controls

1. Inventory authorized and unauthorized devices

2. Inventory authorized and unauthorized software

3. Secure configurations for HW/SW on mobile devices, laptops, desktops, and servers

4. Continuous vulnerability assessment and remediation

5. Malware defenses

6. Application software security

7. Wireless device control

8. Data recovery capability

9. Security skills assessment and appropriate training to fill gaps

10. Secure configurations for network devices (firewalls, routers, switches)

11. Limitation and control of network ports, protocols and services

12. Controlled use of administrative rights

13. Boundary defenses

14. Maintenance, monitoring, and analysis of audit logs

15. Controlled access based on the need to know

16. Accounting monitoring and control

17. Data loss prevention

18. Incident response and management

19. Secure network engineering

20. Penetration tests and red team exercises

Top 3 Security Risks Caused by AssociatesQualitative Risk Assessment

Occ

urr

ence

Pro

bab

ility

Hig

h>

90

%Lo

w>5

0%

Impact on Business (Risk, Compliance, Costs)

Low High

Med

ium

5

0%

-90

%

1

2

3

1. 90% of end users have “legacy” access, giving them inappropriate access to proprietary information

2. 83% of end users use their work machines for personal reasons, transferring files between work and personal machines

3. 50% of data leaks are caused by unauthorized use of applications

Inappropriate Access

Unauthorized Apps

Work Machines for Personal Use

Medium

“I Have to Get My Job Done!”Notice

the phone

Why Don’t They Follow Policies?• They don’t know the policies

• If they do, no one is enforcing the policies

• Polices get in the way of productivity

Help Associates Get their Jobs DoneProvide security policies every one can follow

1

2

34

5

Understand data flow & DetermineAccess Needs (On & Offsite)

Secure Corporate Infrastructure

Be Explicit About What Can & Cannot

Be Done on Corp Network& with Corp Data

Communicate & TrainAssociates on a Regular Basis

Enforce Policies

11. Limitation and control of network ports, protocols and services

12. Controlled use of administrative rights

13. Boundary defenses

14. Maintenance, monitoring, and analysis of audit logs

15. Controlled access based on the need to know

16. Accounting monitoring and control

17. Data loss prevention

18. Incident response and management

19. Secure network engineering

20. Penetration tests and red team exercises

Top 20 Critical Security Controls 1. Inventory authorized and

unauthorized devices

2. Inventory authorized and unauthorized software

3. Secure configurations for HW/SW on mobile devices, laptops, desktops, and servers

4. Continuous vulnerability assessment and remediation

5. Malware defenses

6. Application software security

7. Wireless device control

8. Data recovery capability

9. Security skills assessment and appropriate training to fill gaps

10. Secure configurations for network devices (firewalls, routers, switches)

Write Explicit Security PoliciesCreate policies every one can follow

1Determining Security Framework

Establish information access requirements

Consider why each group or individual needs access to information

Consider the liabilities each individual or group respresents

Clearly define what associates can & cannot do on corp infrastructure & with corp information both onsite and offsite

2Writing security policy & documenting exceptions

Provide instructions on how to report security lapses

3Gaining Approval & Publishing

Ensure policy is in line with technology-based information security plan

Ensure executives understand what is expected from them

Consider bonding or insurance options to mitigate financial exposure

Determine what types of software and devices can be used in your organization

Address access to financial, employes files, customer data and mission critical information

Eliminate legacy access

Provide executives statements clearly establishing security as a high-priority and gain approval to enforce the policy

Research legal requirements – company private or public?

Outline roles & responsibilities for computer & physical files

Document policy exceptions & privileged access

Document authorized applications

Document how to use personal equipment to access corporate information

Improving Security Through Associates

Develop security policies

Document exceptions

Gain approval

Publish

Train

Enforce

Train

Enforce

Communicate

AssociatesDevelop Security

Policies

Next Steps

Be ExplicitWrite or edit existing policies to help associates

understand what they can and cannot do on the corporate infrastructure and with corporate information Continually Reduce Risk

May 6, 2014Learn how to reduce your risk by enforcing security policies

Institutionalize Security PolicyApril 1, 2014

Learn how to continually raise the profile of security through communications and training

to begin institutionalizing security policies

View category

ReferencesSANS 20 Critical Security Controls

• http://www.sans.org/critical-security-controls/

Palo Alto Networks Application Usage Report• https://paloaltonetworks.com/resources/whitepapers/application-usage-and-

threat-report.html

Tufin Technology Survey conducted at Cisco Live! 2014• http://finance.yahoo.com/news/tufin-survey-reveals-91-security-

130000208.html

Tufin Technology Survey conducted in October 2013• http://www.tufin.com/media/146617/Security_Policy_Orchestration_Supportin

g_Tomorrows_Networks.pdf

Information Week: Why Employees Break Security Policy: • http://www.informationweek.in/informationweek/news-

analysis/179680/employees-break-security-policy

SANS Security Policies• http://www.sans.org/security-resources/policies/

Increasing the value of today's webinar• Visit brossgroup.com/blog today's presentation is

available to download

• Come back on April 1, 2014 to learn how to institutionalize security policies

• Check out the schedule of other upcoming Bross Group webinars and don’t forget to share these resources with your colleagues.

• Contact Bross Group account executives if you would like help writing your security policies (303) 945-2700

Questions?

To contact Cindy Gibson:

cgibson@brossgroup.com

303-945-2713