Cover your Ass(ets)

Security is Simple

• Discuss diff in types of environments– Physical everyone can see people who do not belong– Digital you can need to do more inspection to see who

does not belong, in many cases.– Secretary knows where physical assets are but not

necessarily what they contain– IT has access to everything see what people have done,

and can change things, who watches the watch

Common Aspects

• Proper defense involves layering.• Both employ security measures that block certain entry• Both require detection to be effective.

Stacking == reactive addition/change

• Quick we need a firewall we were hacked• OMG we need Antivirus 2010 & Antivirus 360 we need

new antivirus programs• Security caught someone wandering in the secure fenced

in area we need to replace the barbed wire with razor wire.

Layering == Planned addition/change

• Lets review our sec policy, TJX & Google were hacked• We got hit by AV2010 lets look at our user training &

policies• Lets look at where we need to be in 6 months to a year to

remain secure• Lets look at the trends in crime around out buildings and

make sure physical security is up to snuff.

Know your ASSETS

• Gold• Chemicals• Livestock• Crops• Paper• Cars• Children• Family • House

• Personal Data?• SSN? Banking Info• Trade Secrets• Government Secrets• TOP SECRET?• Prisoners• Infrastructure• Airplanes

How are they classified

• Confidential,• Secret, • top secret, • tssci • FOUO• Important• Normal• Business critical• etc

What are you protecting them from

• Thieves• Predators• Spills• Weather• Contamination• Fire/Ice/Water• Insider Threat• Assassins

• Hackers• War• Spies• Auditors• Criminals• Fraud• Piracy• Pirates

Determine your priorities

Decide what you are protecting,

and what your protecting it from!

PRIORITIES

How do you protect your priorities

• Determine who needs access and when• What level of risk are you going to accept• What is available

– Laws?– Technology?– Physical assets (fences, guards, …)

• Does it need to be monitored• Who is the responsible charge.

Are there Legal requirements

• What do you need to comply with• SOX • HIPPA• PCI• PII• RED FLAG• Military regs?• State & Local Laws.

RISK

• What level of risk is acceptable for each type of asset

• What is YOUR level of risk? Write SHIT DOWN! Mail/email it to your boss to CYA

Developing the plan

• Time line, how long will it take to get from where you are now to where you need to go

• What is the cost estimate.• Where does that fall in priorities

OMFG

• That costs too much• Re evaluate the levels of Acceptable Risk and the

associates costs

Write the plan

• Review the requirements• Review the plan• Does it meet the goals?• Implement the plan.

Proactive

Review

FutureRewrite

Implement

Physical & Virtual Security

• In many respects Physical & Virtual Security are similar.

• Layering Vs Stacking (physical)• Layering Vs Stacking (Virtual )• Know what you are protecting?• What are you protecting it from?• What are the priorities?• What can you not lose?• What are the regulatory requirements?• What laws do you have to follow?• What is the acceptable level of risk• How long will it take to get there• how much is it going to cost• What is the true acceptable level of risk?• How long will it really take?• Determine a strategy.• How can you tell when something has gone

wrong• Come up with procedures & Policies • Put it together in a plan• review the plan• Send it for approval• "correct" the plan• test the plan• Fix the plan• Finalize the plan• implement the plan• Review it periodically. WHAT!! WHY? We did

it right