Upload
pchronis
View
1.083
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Presented at SecureWorld Expo Atlanta 2010
Citation preview
Assessing Your IT Security Processes
By Peter Chronis, CISSP, PMP
Systematic IT Risk ReductionSystematic IT Risk Reduction
Enterprise Risk Management requires a thoughtful analysis of the people, processes and technologies used to manage IT risk and your organization’s risk tolerance.
Creating a system that:•Continually assesses processes and mitigation strategies•Monitors security programs at the operational and program level•Adapts to evolving threats•Focus on reducing risk profile over the next 6-24 months
2
Tailoring Your ApproachTailoring Your Approach
No correct “one size fits all” approach to managing risk.
Assess risk tolerance Align with
organizational strategy and SLAs
Evaluate organizational talent
Avoidance, acceptance, transfer
Incorporate thought leaders
Aligning with the right standard
3
Security Process Assessment Security Process Assessment
IT security process analysis
Effectiveness/maturity
Program level management
Assessing the gaps Defining the
security strategy for your organization
4
Very few corporations know what what kind of data resides on their network, where it is, who has access to it and the cost associated with its theft.
Process Improvement CycleProcess Improvement Cycle
Assess Security Processes
Rate Process Effectiveness
Group & Identify Gaps
Define Strategy
Execute Plan
5
Security Process IdentificationSecurity Process Identification
Assess your IT security process footprint ensuring wide coverage of all processes used to reduce your enterprise IT risk.
ISO 27002: Policy Access Control Application
Development BC/DR Cryptography Governance Physical Network/Telcom. Others
6
Process Improvement StrategyProcess Improvement Strategy
Assess Security Processes
Rate Process Effectiveness
Group & Identify Gaps
Define Remediation
Execute Plan
7
Maturity AssessmentMaturity Assessment
Rate the effectiveness of your existing security processes using a maturity model. Interviewing your security and business stakeholders to identify organizational needs and identify process gaps.
•Level 0 – Not preformed•Level 1 –Ad hoc and reactive.•Level 2 – Repeatable, possibly with consistent results but not rigorous. •Level 3 - Managed to a documented standard (SLA) and subject to some degree of improvement over time. •Level 4 – Actively managed operationally using metrics that maximize efficiency and effectiveness. •Level 5 - Focus on continually improving process performance through incremental and innovative technological improvements.
8
Process Improvement StrategyProcess Improvement Strategy
Assess Security Processes
Rate Process Effectiveness
Group & Identify Gaps
Define Remediation
Execute Plan
9
Program Gap Analysis ExampleProgram Gap Analysis Example
10
Processes A-D require a mitigation strategy to close the gap between the existing processes and what is required to reduce risk
Real Life Threat – Operation Real Life Threat – Operation AuroraAurora
•Access to source code repositories •IE configurations•Local admin. privileges•Logging and event correlation•Bot C&C communication
•Security awareness for offshore employees/partners
•Much, much more
11
Be Watchful of Security TrendsBe Watchful of Security Trends
•Annual/Quarterly Security Reports•Top security blogs•Industry sites•Conferences•Networking•Vendor presentations
12
Process Improvement StrategyProcess Improvement Strategy
Assess Security Processes
Rate Process Effectiveness
Group & Identify Gaps
Define Remediation
Execute Plan
13
Mitigation GuidanceMitigation Guidance
IT risk mitigation strategies must:•balance business impact with cost •be operationally supportable• explore technology, process innovation, resource reallocation•adapt as threats evolve•define success using operational metrics
14
Process Improvement StrategyProcess Improvement Strategy
Assess Security Processes
Rate Process Effectiveness
Group & Identify Gaps
Define Remediation
Execute Plan
15