SlideShare a Scribd company logo
Managing Information Security Risks Ken M. Shaurette, CISSP, CISA, CISM, IAM Information Security Solutions Manager MPC Security Solutions  TechFest December 2003
Agenda Why Security?  Information Assets Threats Vulnerabilities Dynamic Security Methodology Risk Management MPC Security Solutions Delivers
Legislation and community pressure  Inappropriate use leads to  disciplinary action. Protecting critical infrastructures.  (InfraGard, DHS) Liability? Its simply a good idea! Why Security?
Regulations Touch Everyone! Source:  Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.
Once upon a time….
Then things started to get a little ugly….
Security used to be easy to understand Payroll Office…. Lock on door Lock on file cabinet Audits Equal Reasonable Security
Active Directory, x.500, NDS, Shadow Passwords VPN, PPTP, Telnet, SSH, IPSEC, Encryption Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA PKI, Kerberos, DES, DES3, SHA, CHAP, PAP Client Server, Mainframe, ASP, Web Services Thin Client, Thick Client, Skinny Client, Tall Client Terminal Server, Distance Learning HTTPS, SSL Security is now a little more complex
You know more than you think… Information Security is about  Information Technology is a  piece  of the puzzle You should  not  have to master technology in order to manage risk
The “Good” News Technology has become easier and easier to implement Anyone can install a server Anyone can install a network Anyone can bring up a web server Anyone can get connected (in lots of ways)
The “Bad” News Technology has become easier and easier to implement Anyone can install a server Anyone can install a network Anyone can bring up a web server Anyone can get connected (in lots of ways)
What are we securing against? Identity Theft Privacy issues Copyright issues Hijacking of resources Liability Regulations
Information Assets Which does  your  organization have? Records about special programs Resident’s information Financial information Health information Statistical information
Information Assets How do you identify  value ? Accounting / “book value” Intrinsic value / Replacement Cost Formal quantifiable methods (BCP/DRP) “Gut feel”
The “Best” News There is hope!
Information Assets What is worth protecting? Confidentiality (keeping secrets) Integrity (tamper-proofing) Availability (there when you need it) Why protect? Community  expectations Regulatory requirements Perception Liability
Information Assets How do you protect? “Classification” (secret, top secret, unclassified) Policies ( separation of duties, appropriate use) “Security Awareness training”  “Common Sense” or “Second Thought” approach
Information Assets How much do you  spend  on protection? Is it based on the  value  of the information? Is it based on the number and  likelihood  of threats? Are vulnerabilities accounted for? How much is  enough  protection?  Is Return on Investment (ROI)  Expected or Required?
Threats - Motive What is the nature of a threat? Confidentiality (learning secrets) Integrity (tampering with data) Availability (denial of service) Who poses a threat to the organization? Terrorists Former employees Unhappy residents Hackers
Vulnerabilities Absence or weakness of a safeguard Safeguard’s reduce likelihood of expected loss from a threat Can be well known, such as an IIS patch Can be unknown, such as a design error Type of vulnerabilities Technical Non-technical
Could any of these Occur? Sexual Harassment or stalking performed  using your Computers? Email Threats to Residents, Officials, Politicians? Community questions about how their tax money is being used. Community asks how computer systems are being wasted?
` "What Are The Short Falls?” Dynamic Security Infrastructure  " What  Is Our Security Policy?” "Implement!" "How Do We Get There?" "Experience Feedback" Compliance   Reporting Strategy Definition Security  Architecture Deploy Solutions Periodic Re-evaluation "Where Are We Today?" "Where Do We Need to Be?" Baseline Current Security New Risks, Legislation Security Requirements Perform Gap Analysis
Security Risk Management Understand  value of information Understand the  threats Understand  vulnerabilities  and corresponding  safeguards Invest wisely in appropriate  safeguards  that reduce the impact of  threats.   Emergency preparedness
Risk Mitigation Understand security risk Understand technology Accept Risk Documentation of risk acceptance is a form of mitigation. Defer or transfer risk Insurance Mitigate risk Technology can mitigate risk
How Can MPC Help? Services Information Security Operational Planning (ISOP) Information Security Assessment Project (SA) Security Policy Review and Writing Security Risk Management Program
How Can MPC Help? Services Network Perimeter Security Sweep (NPSS) Internal Network Security Sweep (INSS) Secure Network Operations Center (RSMC) for monitoring network,  (IDS or Firewall)
How Can MPC Help? Technology Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization;  (5 th  Column) Access Controls, (wireless, active directory, NDS, multiple factor authentication);  (Novell, Microsoft) Filtering & Proxy Tools; (Websense) Firewalls;  (PIX, Cyberguard)
How Can MPC Help? Technology Intrusion Detection/Prevention  (Host and Network) Application Gateways IP Video Surveillance Secure Network Infrastructure Design Wireless Technology
Thank You!

More Related Content

PPT
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
PPT
Challenges in implementating cyber security
PDF
Big Data Security Intelligence and Analytics for Advanced Threat Protection
DOC
Audit logs for Security and Compliance
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
PDF
Cyber threat intelligence ppt
PPT
Information Security Management.Introduction
PDF
Addressing cyber security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
Challenges in implementating cyber security
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Audit logs for Security and Compliance
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Cyber threat intelligence ppt
Information Security Management.Introduction
Addressing cyber security

What's hot (19)

PDF
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
PPTX
Healthcare info tech systems cyber threats ABI conference 2016
PDF
The Future of Cyber Security - Matthew Rosenquist
PDF
Leverage Big Data for Security Intelligence
PPTX
Data security
PPTX
Tictaclabs Managed Cyber Security Services
PDF
Google peter logli & jake shea
PDF
Cylance Information Security: Compromise Assessment Datasheet
PDF
Security Consulting Services
PDF
Personal Data Protection in Indonesia
PDF
Aujas Cyber Security
PPTX
Are you Cyber ready? Introducing Netpluz managed cyber security - cyber intel...
PDF
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
PDF
CCA study group
PPTX
cybersecurity strategy planning in the banking sector
PPTX
Information security group presentation ppt
PDF
Securing the Cloud by Matthew Rosenquist 2016
PDF
Synopsis & toc sectoral capsule on cyber security market in india
PPTX
6 Ways to Deceive Cyber Attackers
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
Healthcare info tech systems cyber threats ABI conference 2016
The Future of Cyber Security - Matthew Rosenquist
Leverage Big Data for Security Intelligence
Data security
Tictaclabs Managed Cyber Security Services
Google peter logli & jake shea
Cylance Information Security: Compromise Assessment Datasheet
Security Consulting Services
Personal Data Protection in Indonesia
Aujas Cyber Security
Are you Cyber ready? Introducing Netpluz managed cyber security - cyber intel...
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
CCA study group
cybersecurity strategy planning in the banking sector
Information security group presentation ppt
Securing the Cloud by Matthew Rosenquist 2016
Synopsis & toc sectoral capsule on cyber security market in india
6 Ways to Deceive Cyber Attackers
Ad

Viewers also liked (9)

PPT
Ed Present Nov 09 Esyne
PPT
Green Evolution Profile 1
PPT
εκε Green Evolution 2
PPT
Cobit
PPTX
Bluevibe@Fsc1
PPT
Pointers in c
PPT
Money Show 2009
PPT
Знакомство с Papervision3d
PPT
Dimitris_Tsigos_ISTAME_20110228
Ed Present Nov 09 Esyne
Green Evolution Profile 1
εκε Green Evolution 2
Cobit
Bluevibe@Fsc1
Pointers in c
Money Show 2009
Знакомство с Papervision3d
Dimitris_Tsigos_ISTAME_20110228
Ad

Similar to Main Menu (20)

PPTX
Data Security Solutions - Cyber Security & Security Intelligence - @ Lithuani...
PPTX
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
PPTX
Netwatcher Credit Union Tech Talk
PDF
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
PPTX
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
PDF
Data exfiltration so many threats 2016
PPT
Life After Compliance march 2010 v2
PDF
Cybersecurity Interview Questions and Answers.pdf
PDF
Top Cyber Security Interview Questions and Answers 2022.pdf
PDF
Psychological Security: Introducing the PsySec Field
PPTX
Security Transformation
DOCX
Ethnosit.net
PPT
Information Leakage - A knowledge Based Approach
PPT
Chapter 1 overview
PPTX
Cyber Security: A Hands on review
PPTX
Cyber Security and the CEO
PDF
OSB50: Operational Security: State of the Union
PPTX
Intro Foundations of Information Security.pptx
PDF
Leveraging Threat Intelligence to Elevate Endpoint Security
PPT
Integrating Physical And Logical Security
Data Security Solutions - Cyber Security & Security Intelligence - @ Lithuani...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
Netwatcher Credit Union Tech Talk
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Data exfiltration so many threats 2016
Life After Compliance march 2010 v2
Cybersecurity Interview Questions and Answers.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Psychological Security: Introducing the PsySec Field
Security Transformation
Ethnosit.net
Information Leakage - A knowledge Based Approach
Chapter 1 overview
Cyber Security: A Hands on review
Cyber Security and the CEO
OSB50: Operational Security: State of the Union
Intro Foundations of Information Security.pptx
Leveraging Threat Intelligence to Elevate Endpoint Security
Integrating Physical And Logical Security

Recently uploaded (20)

PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
PPTX
Cloud computing and distributed systems.
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
PDF
Review of recent advances in non-invasive hemoglobin estimation
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
PPT
Teaching material agriculture food technology
PDF
Modernizing your data center with Dell and AMD
PDF
Advanced IT Governance
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
PDF
Unlocking AI with Model Context Protocol (MCP)
DOCX
The AUB Centre for AI in Media Proposal.docx
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PDF
Network Security Unit 5.pdf for BCA BBA.
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
PDF
Electronic commerce courselecture one. Pdf
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
Cloud computing and distributed systems.
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
Understanding_Digital_Forensics_Presentation.pptx
Advanced methodologies resolving dimensionality complications for autism neur...
Review of recent advances in non-invasive hemoglobin estimation
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Teaching material agriculture food technology
Modernizing your data center with Dell and AMD
Advanced IT Governance
Dropbox Q2 2025 Financial Results & Investor Presentation
Unlocking AI with Model Context Protocol (MCP)
The AUB Centre for AI in Media Proposal.docx
Reach Out and Touch Someone: Haptics and Empathic Computing
Network Security Unit 5.pdf for BCA BBA.
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
20250228 LYD VKU AI Blended-Learning.pptx
Electronic commerce courselecture one. Pdf
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication

Main Menu

  • 1. Managing Information Security Risks Ken M. Shaurette, CISSP, CISA, CISM, IAM Information Security Solutions Manager MPC Security Solutions TechFest December 2003
  • 2. Agenda Why Security? Information Assets Threats Vulnerabilities Dynamic Security Methodology Risk Management MPC Security Solutions Delivers
  • 3. Legislation and community pressure Inappropriate use leads to disciplinary action. Protecting critical infrastructures. (InfraGard, DHS) Liability? Its simply a good idea! Why Security?
  • 4. Regulations Touch Everyone! Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.
  • 5. Once upon a time….
  • 6. Then things started to get a little ugly….
  • 7. Security used to be easy to understand Payroll Office…. Lock on door Lock on file cabinet Audits Equal Reasonable Security
  • 8. Active Directory, x.500, NDS, Shadow Passwords VPN, PPTP, Telnet, SSH, IPSEC, Encryption Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA PKI, Kerberos, DES, DES3, SHA, CHAP, PAP Client Server, Mainframe, ASP, Web Services Thin Client, Thick Client, Skinny Client, Tall Client Terminal Server, Distance Learning HTTPS, SSL Security is now a little more complex
  • 9. You know more than you think… Information Security is about Information Technology is a piece of the puzzle You should not have to master technology in order to manage risk
  • 10. The “Good” News Technology has become easier and easier to implement Anyone can install a server Anyone can install a network Anyone can bring up a web server Anyone can get connected (in lots of ways)
  • 11. The “Bad” News Technology has become easier and easier to implement Anyone can install a server Anyone can install a network Anyone can bring up a web server Anyone can get connected (in lots of ways)
  • 12. What are we securing against? Identity Theft Privacy issues Copyright issues Hijacking of resources Liability Regulations
  • 13. Information Assets Which does your organization have? Records about special programs Resident’s information Financial information Health information Statistical information
  • 14. Information Assets How do you identify value ? Accounting / “book value” Intrinsic value / Replacement Cost Formal quantifiable methods (BCP/DRP) “Gut feel”
  • 15. The “Best” News There is hope!
  • 16. Information Assets What is worth protecting? Confidentiality (keeping secrets) Integrity (tamper-proofing) Availability (there when you need it) Why protect? Community expectations Regulatory requirements Perception Liability
  • 17. Information Assets How do you protect? “Classification” (secret, top secret, unclassified) Policies ( separation of duties, appropriate use) “Security Awareness training” “Common Sense” or “Second Thought” approach
  • 18. Information Assets How much do you spend on protection? Is it based on the value of the information? Is it based on the number and likelihood of threats? Are vulnerabilities accounted for? How much is enough protection? Is Return on Investment (ROI) Expected or Required?
  • 19. Threats - Motive What is the nature of a threat? Confidentiality (learning secrets) Integrity (tampering with data) Availability (denial of service) Who poses a threat to the organization? Terrorists Former employees Unhappy residents Hackers
  • 20. Vulnerabilities Absence or weakness of a safeguard Safeguard’s reduce likelihood of expected loss from a threat Can be well known, such as an IIS patch Can be unknown, such as a design error Type of vulnerabilities Technical Non-technical
  • 21. Could any of these Occur? Sexual Harassment or stalking performed using your Computers? Email Threats to Residents, Officials, Politicians? Community questions about how their tax money is being used. Community asks how computer systems are being wasted?
  • 22. ` "What Are The Short Falls?” Dynamic Security Infrastructure " What Is Our Security Policy?” "Implement!" "How Do We Get There?" "Experience Feedback" Compliance Reporting Strategy Definition Security Architecture Deploy Solutions Periodic Re-evaluation "Where Are We Today?" "Where Do We Need to Be?" Baseline Current Security New Risks, Legislation Security Requirements Perform Gap Analysis
  • 23. Security Risk Management Understand value of information Understand the threats Understand vulnerabilities and corresponding safeguards Invest wisely in appropriate safeguards that reduce the impact of threats. Emergency preparedness
  • 24. Risk Mitigation Understand security risk Understand technology Accept Risk Documentation of risk acceptance is a form of mitigation. Defer or transfer risk Insurance Mitigate risk Technology can mitigate risk
  • 25. How Can MPC Help? Services Information Security Operational Planning (ISOP) Information Security Assessment Project (SA) Security Policy Review and Writing Security Risk Management Program
  • 26. How Can MPC Help? Services Network Perimeter Security Sweep (NPSS) Internal Network Security Sweep (INSS) Secure Network Operations Center (RSMC) for monitoring network, (IDS or Firewall)
  • 27. How Can MPC Help? Technology Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization; (5 th Column) Access Controls, (wireless, active directory, NDS, multiple factor authentication); (Novell, Microsoft) Filtering & Proxy Tools; (Websense) Firewalls; (PIX, Cyberguard)
  • 28. How Can MPC Help? Technology Intrusion Detection/Prevention (Host and Network) Application Gateways IP Video Surveillance Secure Network Infrastructure Design Wireless Technology