how to improve security through your associates (part 1 of...
TRANSCRIPT
IT Simplifier Webinar:How to improve security through your
associates(Part 1 of 3)
About Bross Group
• Client has control over the project• Bross Group provides qualified
candidates but is not responsible for project outcome
• Designed to alleviate resource constraints and/or provide temporary staffing solutions
• Bross Group provides risk management, communications, project management and/or change management
• Bross is responsible for project outcomes
• Based upon clearly defined requirements and SOWs
• Contingent fee services• Bross Group locates and presents
qualified candidates• Client vets candidate(s) and directly
presents offers• Client pays a placement fee to Bross for
successful placements
Bross Group assumes full responsibility for any combination of the following:
• People• Business Process• Operations• Service Level Agreements define
expectations and contractual obligations
IT Simplifier Webinar:How to improve your security through
associates(Part 1 of 3)
Presented by: Cindy Gibson
March 4, 2014
Your Speaker Today is Cindy Gibson
Cindy combines a business-minded approach with strong technical acumen, Cindy is a certified Project Management Professional (PMP), Certified Agile Scrum Master (CSM), Certified Six-Sigma Green Belt, Certified Information Systems Security Professional (CISSP), and offers knowledge in COBIT processes, ITIL foundations and SDLC.
Bross Group Security Program Director
AgendaHow to improve security though your associates
Next Steps and Where to Go From Here
How to Improve Security Through Your Associates: By Providing Security Policies Every One Can Follow
Top 3 Risks Caused by Associates and Why
20 Critical Security Controls Every Company Should Have
Is Your Organization Ready for a Cyber Security Breach?
• Let’s face it, businesses just like yours face a multitude of security threats every single day. Many you can fend off, many you can’t.
• In Target’s case, it is estimated they will face $1–3.6 BILLON in fines!
20 Critical Security Controls
1. Inventory authorized and unauthorized devices
2. Inventory authorized and unauthorized software
3. Secure configurations for HW/SW on mobile devices, laptops, desktops, and servers
4. Continuous vulnerability assessment and remediation
5. Malware defenses
6. Application software security
7. Wireless device control
8. Data recovery capability
9. Security skills assessment and appropriate training to fill gaps
10. Secure configurations for network devices (firewalls, routers, switches)
11. Limitation and control of network ports, protocols and services
12. Controlled use of administrative rights
13. Boundary defenses
14. Maintenance, monitoring, and analysis of audit logs
15. Controlled access based on the need to know
16. Accounting monitoring and control
17. Data loss prevention
18. Incident response and management
19. Secure network engineering
20. Penetration tests and red team exercises
Top 3 Security Risks Caused by AssociatesQualitative Risk Assessment
Occ
urr
ence
Pro
bab
ility
Hig
h>
90
%Lo
w>5
0%
Impact on Business (Risk, Compliance, Costs)
Low High
Med
ium
5
0%
-90
%
1
2
3
1. 90% of end users have “legacy” access, giving them inappropriate access to proprietary information
2. 83% of end users use their work machines for personal reasons, transferring files between work and personal machines
3. 50% of data leaks are caused by unauthorized use of applications
Inappropriate Access
Unauthorized Apps
Work Machines for Personal Use
Medium
“I Have to Get My Job Done!”Notice
the phone
Why Don’t They Follow Policies?• They don’t know the policies
• If they do, no one is enforcing the policies
• Polices get in the way of productivity
Help Associates Get their Jobs DoneProvide security policies every one can follow
1
2
34
5
Understand data flow & DetermineAccess Needs (On & Offsite)
Secure Corporate Infrastructure
Be Explicit About What Can & Cannot
Be Done on Corp Network& with Corp Data
Communicate & TrainAssociates on a Regular Basis
Enforce Policies
11. Limitation and control of network ports, protocols and services
12. Controlled use of administrative rights
13. Boundary defenses
14. Maintenance, monitoring, and analysis of audit logs
15. Controlled access based on the need to know
16. Accounting monitoring and control
17. Data loss prevention
18. Incident response and management
19. Secure network engineering
20. Penetration tests and red team exercises
Top 20 Critical Security Controls 1. Inventory authorized and
unauthorized devices
2. Inventory authorized and unauthorized software
3. Secure configurations for HW/SW on mobile devices, laptops, desktops, and servers
4. Continuous vulnerability assessment and remediation
5. Malware defenses
6. Application software security
7. Wireless device control
8. Data recovery capability
9. Security skills assessment and appropriate training to fill gaps
10. Secure configurations for network devices (firewalls, routers, switches)
Write Explicit Security PoliciesCreate policies every one can follow
1Determining Security Framework
Establish information access requirements
Consider why each group or individual needs access to information
Consider the liabilities each individual or group respresents
Clearly define what associates can & cannot do on corp infrastructure & with corp information both onsite and offsite
2Writing security policy & documenting exceptions
Provide instructions on how to report security lapses
3Gaining Approval & Publishing
Ensure policy is in line with technology-based information security plan
Ensure executives understand what is expected from them
Consider bonding or insurance options to mitigate financial exposure
Determine what types of software and devices can be used in your organization
Address access to financial, employes files, customer data and mission critical information
Eliminate legacy access
Provide executives statements clearly establishing security as a high-priority and gain approval to enforce the policy
Research legal requirements – company private or public?
Outline roles & responsibilities for computer & physical files
Document policy exceptions & privileged access
Document authorized applications
Document how to use personal equipment to access corporate information
Improving Security Through Associates
Develop security policies
Document exceptions
Gain approval
Publish
Train
Enforce
Train
Enforce
Communicate
AssociatesDevelop Security
Policies
Next Steps
Be ExplicitWrite or edit existing policies to help associates
understand what they can and cannot do on the corporate infrastructure and with corporate information Continually Reduce Risk
May 6, 2014Learn how to reduce your risk by enforcing security policies
Institutionalize Security PolicyApril 1, 2014
Learn how to continually raise the profile of security through communications and training
to begin institutionalizing security policies
View category
ReferencesSANS 20 Critical Security Controls
• http://www.sans.org/critical-security-controls/
Palo Alto Networks Application Usage Report• https://paloaltonetworks.com/resources/whitepapers/application-usage-and-
threat-report.html
Tufin Technology Survey conducted at Cisco Live! 2014• http://finance.yahoo.com/news/tufin-survey-reveals-91-security-
130000208.html
Tufin Technology Survey conducted in October 2013• http://www.tufin.com/media/146617/Security_Policy_Orchestration_Supportin
g_Tomorrows_Networks.pdf
Information Week: Why Employees Break Security Policy: • http://www.informationweek.in/informationweek/news-
analysis/179680/employees-break-security-policy
SANS Security Policies• http://www.sans.org/security-resources/policies/
Increasing the value of today's webinar• Visit brossgroup.com/blog today's presentation is
available to download
• Come back on April 1, 2014 to learn how to institutionalize security policies
• Check out the schedule of other upcoming Bross Group webinars and don’t forget to share these resources with your colleagues.
• Contact Bross Group account executives if you would like help writing your security policies (303) 945-2700
Delivering on Student Well-Being Sodexo Presents A to Z Salad Bar HEALTH FAIR 2014 22014 Health Fair
Dyman & Associates Risk Management Projects: 75% of mobile security breaches will result from misuse