Are you a Beefeater?
GET FOCUSED ON PROTECTING YOUR CROWN JEWELS
Title Layout
I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer.
Who is Jack Nichelson? Global Information Security Manager at large manufacturing
company
15 years of experience in IT Security & Risk Management
Active in the security community (DefCon, ShmooCon, DerbyCon)
Teach Network Security and advise the Baldwin Wallace CCDC team
“Solving Problems, is my Passion”Introduction
Key Challenges: A need for information everywhere and on everything. What is a Crown Jewel, where is it, who needs it, and
how is it protected? Traditional classification policies and handling guidelines
have failed and are not consistently applied or used for decision making.
The culture inside the organization is not ready to do anything about sensitive data.
Vendor Management is not part of the Data Classification process.
Problem Statement “No More Borders”
Most security failures can be traced back to failures of decision making and not failures of technology.
“For too long, compliance has tested physical assets and ignored the thing that matters most” - Chris Nickerson
Beefeaters
Who better to protect your Crown Jewels than the Beefeaters? Tap into the iconic London Guard’s reputation, to develop an elite force to defend your organization’s most valuable assets from even trusted insiders.
“Change of the Guard”
Once you have the basics covered, it time to start focusing on protecting your most imported data.
Empower the Data Handlers and hold the Data Owners responsible
Data Governance…A Team Effort, But An Individual Responsibility!
The Power of Three: FBI – Counterintelligence for Corporate America
Establish a new mental model in leadership about the threats
PWC – Data Governance Data Classification Criteria, Ranking & Inventory
of Data Elements SANS – 20 Critical Controls
Align Security Controls with Key Threats to Data Elements
Solution Approach“Security Spending is out of Balance”
Big increase in IT security spending - Gartner
Time to stop the unfocused spending on security and find the right balance of people, process & technology.
Essential Elements of a Counterintelligence Program: Create an organization-wide Data Privacy & CI Steering
Committee Recognition of the Insider & Foreign threat potential Internal and external partnerships embedded within the
company at key decision points Integration of CI and Information Technology Security & CI Awareness program & communication
channel
Counterintelligence “Lead through Awareness”
Mission is to protect the company’s classified & proprietary technologies from theft & protect its most valuable asset – It’s People.
Data Classification Process:
Gather & Assess Data Elementso Conduct detailed working sessions to identify & define sensitive
datao Define levels of confidentiality (Public, Internal, Confidential,
Restricted)o Identify data elements, applications, data flows, and create data
inventory
Weight & Heat Map Data Elementso Assign weighting to identified data elementso Ensure operational activities are aligned with classificationo Create heat map across each functional area of data classifications
and riskso Get management agreement of classification scoring & threats of
data loss
Data GovernanceThe first step in protecting your data is knowing its value, so you have a reason to find it.
“Can't protect what you don’t understand”
Guiding Principles: Start from thinking you have been breached and work
backwards Defenses should focus on most common & damaging
attacks Ensure consistent controls are applied for the right level
of impact Defenses should be automated, measured, and audited Measurements & metrics that everyone agrees on
Security Framework “Focusing your Resources”
The 20 Critical Security Controls focus on prioritizing security on “What Works” for immediate high-value action.
“Don’t prioritize too many priorities” – James Tarala
Process Framework: DEFINE your critical data assets DISCOVER critical data security environment BASELINE critical data security processes and
controls SECURE critical data MONITOR with proper governance and metricsKey Steps to Get Started: Define what is your critical data & how to score it Define your Data Classification Criteria & Ranking Create an Inventory of your Data Elements Establish Process & Control’s to protect your data
How to get started:
Defining Your Critical Data
10
Milestone Accomplishments Monthly Security Awareness TrainingPatching most systems within 15 daysRemoved Java from 85% of workstationsHard Drive Encryption for LaptopsWeb Security with Egress FilteringNetwork perimeter-Monitored FirewallsMinimum Security Baselines
Achieved basic security compliance
Achieved basic blocking & tackling security
Information Security Maturity Plan
Data Governance Roadmap
12
Classification Criteria CATEGORY DESCRIPTI
ON
SAMPLE DOCUMENTS/RECO
RDSMARKING REPRODUCTIO
N DISTRIBUTION STORAGE DESTRUCTION/
DISPOSAL
PublicInformation that can be publicly
disclosed.
Marketing materials authorized for public release such as
advertisements, brochures, published financial reports,
Internet Web pages, catalogues, external public presentations and technical
publications
None, except copyright notice if
applicableUnlimited Not restricted Not restricted Recycling/trash
Internal
Information whose unauthorized
disclosure outside the organization
would be inappropriate and inconvenient.
Intranet web pages, internal contact information,
newsletters, certain corporate policies and procedures, town
hall presentations, benefit options, postings on internal bulletin boards, internal SDS
databases
None required, but can be
marked "FOR INTERNAL
DISTRIBUTION ONLY" if needed
Unrestricted internallyInternal distribution
onlyNot restricted
Paper: shred, Electronic: erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops,
printers etc. to IT for appropriate disposal
Confidential
Information that will have a moderate*
negative material impact on the
organization. This information will
negatively impact the organization if
disclosed.
*Less than $** million loss
Best Practices, job manuals, R&D technical documents, QA
information including test data, Idea Records, engineering
drawings and documentation, PLC programs, certain
agreements, customer lists, cost information, personal identifiable information,
personal health information
Company CONFIDENTIAL, ljk CONFIDENTIAL, ;ld
kfj;ljd CONFIDENTIAL
(Company CONFIDENTIAL is
the umbrella statement for data can be
shared between companies; sdfsdf
and sdf Confidential is for
the given businesses).
Marking is mandatory on
first page.
Only for legitimate business purposes and to limited audience. Secure print only.
Internal: Distribute to a limited audience to
those who need to know. Link to
document if possible when emailing. Limit
printing. External: Need
appropriate agreement in place or by manager
approval only.
Encrypted network file share, encrypted USB (company owned), no local storage on hard drive, no storage on personal devices or
personal email. Paper confidential documents must be stored under
lock and key when not in use.
Paper: shred, Electronic: erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops,
printers etc. to IT for appropriate disposal
Restricted
Information that will have a significant*
negative material impact on the
organization and can provide
significant third party personal or
competitive financial gain. *Greater than $**
million loss
Restricted information includes export controlled data, ITAR
controlled data, lkjhlk Customer Confidential, sakjhalskfjh
Supplier Confidential information, communications
marked attorney-client priviledge, and M&A
information. Information deemed as "crown jewels" by
the business team.
Company RESTRICTED, FMI
RESTRICTED, SEADRIFT
RESTRICTED. Marking is
manditory on all pages for all
documents. May require additional
marking (i.e., export controlled, Seadrift Customer Confidential, etc)
depending on type of data.
None, except with the permission of the
Business Segnment President, the VP of R&D, or Business
Segment Director of Intellectual Property
and all copies are tracked.
Defined distribution list approved by the
Business Segnment President, the VP of R&D, or Business
Segment Director of Intellectual Property. No further distribution
allowed.
Encrypted network file share, no local storage
on hard drive, no storage on personal devices or personal email. Paper restriced documents must be stored under
lock and key when not in use. All restricted data must have encryption at
rest and in motion requiring two factor
authenication. Full audit trail required.
Paper: shred, Electronic: physically destroy magnetic
media. Send CDs, DVDs, dead hard drives, laptops,
printers etc. to IT for appropriate disposal
13
Classification Scoring
LIKELIHOOD Description Frequency of events
5 Expected (occurs often) At least once a month
4 Probable (known to occur) Once every six months
3 Possible (known to occur occasionally) Once a year
2 Unusual (has occurred somewhere) Once every 3-5 years
1 Remote (could happen, but unlikely) Less than once in 5 yrs
IMPACT Impact Description Potential loss earnings/cash flow
5 Catastrophic / Major If this risk were to materialize, Company would find it difficult to recover. Over $25,000,000
4 Significant The consequences of the risk materializing can be managed to some extent. $5,000,000 - $25,000,000
3 Moderate The consequences of the risk materializing are not severe and can be managed. $1,000,000 - $5,000,000
2 Low The consequences of the risk materializing are considered relatively unimportant. $100,000 - $1,000,000
1 Negligible No consequences of this risk materializing are detectable. less than $100,000
CONTROLS Description
5 There is no formal or informal control associated with the risk. This includes uncontrollable risks.
4 Controls do not provide reasonable assurance that a risk will be detected consistently or timely. Controls of this type are informal and are insufficient to prevent or mitigate the risk effectively.
3 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this type are formal, but highly manual. Risk mitigation is implemented in a “reactionary” manner.
2 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this type are formalized, and tested on a regular basis. Controls of this type are rated as “best practices”.
1 Controls in place provide assurance with the highest level of certainty that a risk will be detected or prevented consistently and timely. These controls are highly formalized, automated and tested on a regular basis. Controls of this type are rated as “exceeding best practices”.
14
Inventory of Data Elements
Stop waiting for others and Start today: People – Counterintelligence Awareness Training
Empower the Data Handlers and hold the Data Owners responsible
Process – Facilitated Discussions Build a consensus of Data Classification Criteria, Ranking &
Inventory of Data Elements
Technology – Align Security Controls with Key Threats Implement Security Controls Commensurate with Data
Element Scoring
Summary“There's a reason why technology should be the last step”
Time to stop the unfocused spending on security and find the right balance of people, process & technology.
“Good security is not something you have, it’s something you do” – Wendy Nather
What Questions are there?
Jack NichelsonE-mail: [email protected] Twitter: @Jack0Lope