INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer - - PowerPoint PPT Presentation

information security
SMART_READER_LITE
LIVE PREVIEW

INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer - - PowerPoint PPT Presentation

Apr 11, 2023 216 likes •492 views

INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA, CGEIT, CRISC, CRMA, PMP , FLMI and studying for CISM RMR and JA Interactive session share stories THREAT SOURCES Nation States

slide-1
SLIDE 1

INFORMATION SECURITY

A DAY IN THE LIFE

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6

WHO AM I?

  • Security officer for MIE
  • CISSP

, CISA, CGEIT, CRISC, CRMA, PMP , FLMI and studying for CISM

  • RMR and JA
  • Interactive session – share stories
slide-7
SLIDE 7

THREAT SOURCES

  • Nation States
  • Terrorists
  • Industrial Spies
  • Organized Crime
  • Hacktivists
  • Hackers
  • Business Competitors
  • Employees – accidental or deliberate

https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions https://hitrustalliance.net/threat-catalogue/

slide-8
SLIDE 8

IT STARTS WITH THE DATA

slide-9
SLIDE 9

BUSINESS ALIGNMENT

Mission of the Business Strategic Business Objectives Information Security Mission: Develop, execute and maintain a proactive, company-wide security program based on strategic business objectives Vision: Incorporate a continuous security mindset into all aspects of our business functions

slide-10
SLIDE 10

INFOSEC OBJECTIVES Security Privacy Confidentiality Integrity Availability

slide-11
SLIDE 11

GOVERNANCE

Board of Directors IT Audit Committee Policies Standards Procedures Security Team Compliance Team

InfoSec Objectives

slide-12
SLIDE 12

OWNERSHIP

Data Owner Asset Inventory Data Classification

Governance InfoSec Objectives

slide-13
SLIDE 13

BUSINESS RESILIENCY

BCP DRP IRP BIA

Ownership Governance InfoSec Objectives

slide-14
SLIDE 14

______ MANAGEMENT

Risk Analysis and Management Patch Management Vulnerability Management Vendor/Supply Chain Management

Resiliency Ownership Governance InfoSec Objectives https://www.google.com/alerts# https://www.nist.gov/ https://csrc.nist.gov/ https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final https://csrc.nist.gov/publications/detail/sp/800-161/final

slide-15
SLIDE 15

TECHNICAL CONTROLS

AV IDS/IPS Encryption Logging and Monitoring DLP

______ Management Resiliency Ownership Governance InfoSec Objectives

slide-16
SLIDE 16

STORY TIME

  • Cost of a laptop is $2,000
  • Additional cost of losing the laptop is $8,000
  • Asset Value (AV) = $10,000
  • Exposure Factor (EF) = 100%
  • Single Lose Expectancy = $10,000
  • On average, we “lose” 3 laptops per year (ARO)
  • Annual Loss Expectancy (ALE) is $30,000

Security Spending Dennis steals the dinosaur embryos

slide-17
SLIDE 17

RETURN ON SECURITY INVESTMENT

ALE before encryption control $30,000 Encryption cuts EF to 20% ALE after implementing control $6,000 + Yearly cost of control $20,000 Return on Security Investment $4,000

slide-18
SLIDE 18

3RD PARTY ASSESSMENTS

External Pen Test Internal Pen Test Wireless Pen Test Social Engineering

Controls ______ Management Resiliency Ownership Governance InfoSec Objectives

slide-19
SLIDE 19

ACCESS CONTROL

Logical Physical Remote

3rd Party Assessments Controls ______ Management Resiliency Ownership Governance InfoSec Objectives

slide-20
SLIDE 20

KERBEROS

slide-21
SLIDE 21

COMPLIANCE

HIPAA / HITECH FISMA FFIEC GLBA SOX GDPR, CONSENT, CCPA, PIPEDA Privacy Shield

Access Control 3rd Party Assessments Controls ______ Management Resiliency Ownership Governance InfoSec Objectives

slide-22
SLIDE 22

CERTIFICATIONS

SOC HITRUST CSF PCI – DSS FedRAMP Cloud Security Alliance

slide-23
SLIDE 23

SECURITY AWARENESS

New hire training Annual refresher training Monthly newsletters NCSAM – October Periodic newsflashes

Compliance and Certifications Access Control 3rd Party Assessments Controls ______ Management Resiliency Ownership Governance InfoSec Objectives

slide-24
SLIDE 24

DATA RECOVERABILITY

Online failover replica Real-time replica offsite Long-term offline backup

Security Awareness Compliance and Certifications Access Control 3rd Party Assessments Controls ______ Management Resiliency Ownership Governance InfoSec Objectives

slide-25
SLIDE 25

… STILL MORE

Cyber Insurance Internal & External Audits Regular exclusion checks: OIG LEIE and SAM

Data Recoverability Security Awareness Compliance and Certifications Access Control 3rd Party Assessments Controls ______ Management Resiliency Ownership Governance InfoSec Objectives https://oig.hhs.gov/exclusions/index.asp https://www.sam.gov/SAM/

slide-26
SLIDE 26

INFOSEC RECAP

  • Not one person or a team of people; the entire organization
  • Defense in depth
  • If you see something, say something
  • https://www.ftc.gov/tips-advice/business-center/small-

businesses/cybersecurity