Embed Size (px)
DESCRIPTION
Citation preview
© 2011 JurInnov, Ltd. All Rights Reserved
Information Security for Business Leaders
JurInnov, Ltd.May 24, 2011
© 2011 JurInnov, Ltd. All Rights Reserved
JurInnov helps organizations…
Apply technology to optimize electronic discovery
Collect and uncover evidence
Better protect, manage and track electronic information
…and relax a little
Who Are We?
© 2011 JurInnov, Ltd. All Rights Reserved
Respond to a breach
Computer Forensics
Prevent the breach
Information Security
Who Wants a Crisis Anyway?
© 2011 JurInnov, Ltd. All Rights Reserved
Threats to our businesses
Approach to Information Security
Business integration
Creating the culture
Making it happen
Trade-offs
Take-Aways
Today’s Discussion
© 2011 JurInnov, Ltd. All Rights Reserved
April 2011 – Sony Corp. data breach, 100 million PlayStation network accounts
Wall Street Journal, May 18, 2011 – “Sony Corp Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.”
“… maintaining security is a ‘never-ending process’ and he doesn't know if anyone is 100%.”
In the News
© 2011 JurInnov, Ltd. All Rights Reserved
Third Parties
April 4, 2011 – Over 2500 companies who used Epsilon’s marketing services had to inform customers that their data system was exposed to unauthorized entry.
In the News
© 2011 JurInnov, Ltd. All Rights Reserved
Average breach costs $214 per record
Average organizational cost $7.2 million per incident
The Ponemon Institute Study, March 18, 2011
Risk and compliance budgets expected to increase by 21% in 2011
McAfee 2011 Risk and Compliance Report
Facts and Figures
© 2011 JurInnov, Ltd. All Rights Reserved
$548 million
The US government is
increasing cyber security R&D by
35% to $548 million next year
More organized outside attacks
More pervasive inside misuse
Facts and Figures
Fierce CIO, January 16, 2011
Computerworld, February 15, 2011
© 2011 JurInnov, Ltd. All Rights Reserved
InformationSecurity
Confidentiality
Integrity
Availability
The Security Triad
© 2011 JurInnov, Ltd. All Rights Reserved
Threats
Impacts
© 2011 JurInnov, Ltd. All Rights Reserved
• Priorities• Roles and
responsibilities• Targeted
capabilities• Specific goals
(timeframe)
InfoSecStrategy
BusinessStrategy
• Core values• Purpose• Capabilities• Client promise• Business targets• Specific goals• Initiatives• Action items• Assignments and
accountabilities
Business Integration
© 2011 JurInnov, Ltd. All Rights Reserved
Monitoring, measuring and reporting
Integrating with business metrics
Weekly management meetings
Monthly dashboard review with employees
Quarterly goals met
Team rewards
Creating the Culture
© 2011 JurInnov, Ltd. All Rights Reserved
Incenting the behavior
Assignments and accountabilities
Personal contribution reports
Performance reviews
Daily interactions with team members
New system and process deployment
Creating the Culture
© 2011 JurInnov, Ltd. All Rights Reserved
Ask where are we today?
High level survey – taking the pulse
Assessment
Define and communicate expectations
Company policies
Employee training
Third party contract requirements
(what about the Cloud?)
Making it Happen
© 2011 JurInnov, Ltd. All Rights Reserved
Implement changes
Workflow (make it easy)
Technology
Physical
Ask how are we doing?
Checkpoints
Audits
Making it Happen
© 2011 JurInnov, Ltd. All Rights Reserved
Productive
Responsive
Agile
Cost-effective
Reasonable to use (vs. annoying)
Trade-offs
© 2011 JurInnov, Ltd. All Rights Reserved
• Client data
• Trade secrets
• Product details
• Competitive advantages
• Employee information
• Websites
• Blogs
• Social networking
• Employee “break time”
Trade-offs
© 2011 JurInnov, Ltd. All Rights Reserved
Impact (Probability * Loss)
Cost to Secure
ACCEPT
MITIGATE
TRANSFERAVOID
DEPENDS
Trade-offs
© 2011 JurInnov, Ltd. All Rights Reserved
Integrate with business strategic planning
Confirm workflows make good practices easy
Know the impact of new systems/processes
Know the impact of system/process maintenance
Confirm mobile computing addresses risks
Take-Aways: Build in Security
© 2011 JurInnov, Ltd. All Rights Reserved
Demonstrate that security is critical
Challenge assumptions of security
Ask about the risks
Monitor, measure, report
Hold everyone accountable
Reward behaviors
Take-Aways: Create the Culture
© 2011 JurInnov, Ltd. All Rights Reserved
Take a quick pulse
Maintain up to date security policies
Keep security “top of mind”
Debrief projects including security focus
Maintain good asset management
Plan Do Check Act
Take-Aways: Make it Happen
© 2011 JurInnov, Ltd. All Rights Reserved
Access
Server audit logs are turned on and retained
Firewall firmware is up to date
Mobile devices are properly encrypted
Take-Aways: Some Specifics
© 2011 JurInnov, Ltd. All Rights Reserved
Business continuity
Key systems have uninterruptable power supplies
Backups tested regularly
Disaster recovery plans in place
Business continuity testing for key systems
System maintenance as scheduled
Take-Aways: Some Specifics
© 2011 JurInnov, Ltd. All Rights Reserved
Application security
Security patches up to date
No unauthorized programs installed
Corporate applications have up to date security reviews
Antivirus software installed
Virus definitions up to date
Take-Aways: Some Specifics
© 2011 JurInnov, Ltd. All Rights Reserved
Security governance
Configuration changes approved prior to implementation
Incidents handled by incident response plans
Media sanitized before being reused or disposed
Systems have documented security controls
Take-Aways: Some Specifics
© 2011 JurInnov, Ltd. All Rights Reserved
Security awareness
Password procedures
Data storage procedures
Mobile computing
Software security practices
Email security practices
Take-Aways: Some Specifics
© 2011 JurInnov, Ltd. All Rights Reserved
For More Information
JurInnov Ltd. 1375 Euclid Avenue, Suite 400
Cleveland, OH 44115
1.216.664.1100
