Upload
tim-krabec
View
169
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
Cover your Ass(ets)
Security is Simple
• Discuss diff in types of environments– Physical everyone can see people who do not belong– Digital you can need to do more inspection to see who
does not belong, in many cases.– Secretary knows where physical assets are but not
necessarily what they contain– IT has access to everything see what people have done,
and can change things, who watches the watch
Common Aspects
• Proper defense involves layering.• Both employ security measures that block certain entry• Both require detection to be effective.
Stacking == reactive addition/change
• Quick we need a firewall we were hacked• OMG we need Antivirus 2010 & Antivirus 360 we need
new antivirus programs• Security caught someone wandering in the secure fenced
in area we need to replace the barbed wire with razor wire.
Layering == Planned addition/change
• Lets review our sec policy, TJX & Google were hacked• We got hit by AV2010 lets look at our user training &
policies• Lets look at where we need to be in 6 months to a year to
remain secure• Lets look at the trends in crime around out buildings and
make sure physical security is up to snuff.
Know your ASSETS
• Gold• Chemicals• Livestock• Crops• Paper• Cars• Children• Family • House
• Personal Data?• SSN? Banking Info• Trade Secrets• Government Secrets• TOP SECRET?• Prisoners• Infrastructure• Airplanes
How are they classified
• Confidential,• Secret, • top secret, • tssci • FOUO• Important• Normal• Business critical• etc
What are you protecting them from
• Thieves• Predators• Spills• Weather• Contamination• Fire/Ice/Water• Insider Threat• Assassins
• Hackers• War• Spies• Auditors• Criminals• Fraud• Piracy• Pirates
Determine your priorities
Decide what you are protecting,
and what your protecting it from!
PRIORITIES
How do you protect your priorities
• Determine who needs access and when• What level of risk are you going to accept• What is available
– Laws?– Technology?– Physical assets (fences, guards, …)
• Does it need to be monitored• Who is the responsible charge.
Are there Legal requirements
• What do you need to comply with• SOX • HIPPA• PCI• PII• RED FLAG• Military regs?• State & Local Laws.
RISK
• What level of risk is acceptable for each type of asset
• What is YOUR level of risk? Write SHIT DOWN! Mail/email it to your boss to CYA
Developing the plan
• Time line, how long will it take to get from where you are now to where you need to go
• What is the cost estimate.• Where does that fall in priorities
OMFG
• That costs too much• Re evaluate the levels of Acceptable Risk and the
associates costs
Write the plan
• Review the requirements• Review the plan• Does it meet the goals?• Implement the plan.
Proactive
Review
FutureRewrite
Implement
Physical & Virtual Security
• In many respects Physical & Virtual Security are similar.
• Layering Vs Stacking (physical)• Layering Vs Stacking (Virtual )• Know what you are protecting?• What are you protecting it from?• What are the priorities?• What can you not lose?• What are the regulatory requirements?• What laws do you have to follow?• What is the acceptable level of risk• How long will it take to get there• how much is it going to cost• What is the true acceptable level of risk?• How long will it really take?• Determine a strategy.• How can you tell when something has gone
wrong• Come up with procedures & Policies • Put it together in a plan• review the plan• Send it for approval• "correct" the plan• test the plan• Fix the plan• Finalize the plan• implement the plan• Review it periodically. WHAT!! WHY? We did
it right