Proactive information security michael
0 likes715 views
The document discusses how information security professionals can take a more proactive approach. It recommends developing a standard questionnaire to complete as part of the change process to identify security impacts early. This helps integrate security into processes. It also suggests implementing a Privacy and Security Impact Assessment tool to identify and mitigate risks associated with new systems before operationalization. Using these tools can help information security professionals address issues proactively before they become threats, build a culture of security, and provide assurance to executive teams.
Proactive information security michael
- 1. Proactive Information Security Asking the Right Questions Michael Calderin, CISSP-ISSMP, CCISO, CEH michael@calder.in http://calder.in
- 2. Are you a roadblock to progress? Information security must evolve from just an IT project to the core of critical business decisions. As an Information Security Leader: You must protect enterprise data from compromise AND drive innovation at the same time Gartner, Inc. (2014). Information Security. Retrieved from Gartner: http://www.gartner.com/technology/topics/information-security.jsp
- 3. Are you supporting your organization’s outcomes or inhibiting them? What do your peers think?
- 4. How do other executives see our jobs? To the average senior executive, security seems easy – lock the doors and post a guard. “Use all of that money that has been allocated to IT and come up with the entirely safe computer.” “Stop talking about risks and vulnerabilities and solve the problem.” Information security is complex and simple solutions are often the best for non-practitioners. Sherizen, S. (2000). The Business Case for Information Security: Selling Management on the Protection of Vital Secrets and Products. Retrieved from IT Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf
- 5. Compliance enforcer and advisor As our IT environment grows, so do the legalities to be considered to comply with laws and regulations. We assist management in making sure that the organization is in compliance with the law. What can we offer? Sherizen, S. (2000). The Business Case for Information Security: Selling Management on the Protection of Vital Secrets and Products. Retrieved from IT Today: http://www.ittoday.info/AIMS/DSM/82-01-32.pdf Business enabler and company differentiator The internet has changed how organizations offer goods and services. Information security must provide a value- added way of providing ease of interaction as well as security and privacy of customer activities. We provide security to differentiate our organization by including security for free alongside the goods and services offered by our organization. This can boost customer satisfaction and encourage further use of online activities. Total quality management contributor Quality is directly related to information security. CIA allows an organization to offer customer service that is protected, personal, and convenient. We combine proper controls over processes, machines, and personnel, balancing our organization’s needs for production and protection. Our information security programs boost online transactions by helping customers see them as safe and reliable. “Peopleware” controller Information security helps control the unauthorized behavior of people through need-to-know and segregation-of-duties policies. We translate managerial decisions into information security policies, programs, and practices. We structure authorized usage and detect unauthorized usage.
- 6. How can we quickly and strategically become more proactive? The answer is not a technology, product, or vendor
- 7. Integrate security into processes Create a culture of security Address issues before they become threats Proactive Process P R E V E N T I O N D E T E C T I O N & R E M E D I A T I O N
- 8. My Situation Mid-sized business unit Less than 1000 people Multiple countries with varied regulatory requirements Relatively consolidated IT team Enormous change throughout our organization Security had a reputation for being disruptive and a bottleneck New staff carry over their expectations from prior roles Proactive security is a recent way of thought
- 9. The Tool: A Questionnaire Organizations may conduct an information security review before changing their systems Often informal and poorly documented Reviews are rarely built into a change process Still appropriate for today's business and regulatory environment? Develop a standard questionnaire to be completed as part of the change process Complete the questionnaire as early in the process as possible Responsibility for the change Technical security impacts Physical security considerations Logical security requirements Disaster recovery and business continuity Overly, M. R., Howell, C. T., & Scarano, R. M. (2012, February 1). A Proactive Approach to Information Security in Health Information Technology Procurements. (Foley & Lardner LLP) Retrieved from Association of Corporate Counsel: http://www.acc.com/legalresources/quickcounsel/apatisihit.cfm Questionnaire Availability Integrity Confidentiality
- 10. Privacy & Security Impact Assessment Decision-making tool used to identify and mitigate risks associated with new or changing systems Helps us understand how sensitive data is to be collected, used, shared, accessed, and stored Required Before sending business requirements for development Before operationalizing new systems As part of the change process Completed by those who best understand the change Reviewed by those who best understand privacy & security implications Approved PSIAs available for review within the organization United States Department of Homeland Security. (2014, January 30). Privacy Compliance. Retrieved from Homeland Security: http://www.dhs.gov/privacy- compliance
- 11. I didn’t invent this. Recommended by leading information security organizations ISACA SANS United Kingdom National Health Service United States Securities and Exchange Commission United States Department of Defense United States Department of Health and Human Services
- 12. My Approach Easy to understand Completed in minutes Addresses confidentiality, integrity, and availability Captures only basic info Qualitative assessment; not a quantitative risk analysis Advantages Disadvantages Requires short training and expert review
- 13. 1 Page, 2 Sections, 10 Questions 1. How sensitive is the information (how is it classified)? 2. What Personally Identifiable Information is used? 3. Which types of Protected Health Information are used? 4. Which critical systems are affected? 5. How will the information be used (a summary of the requirements)? 6. Are any third parties involved? If so, which ones? 7. If database changes are needed, what kinds? 8. Where is the production equipment physically located? 9. What is the business continuity impact? 10. What access rights will be needed and for whom?
- 14. Review Weekly review w/ interested parties If we have questions, we reach out to the person who completed the PSIA and/or the project sponsor Formal signoff on approval Otherwise, new requirements or controls communicated
- 15. Results Integrate security into processes Security is now considered when business requirements are documented Build a culture of security Over time, security requirements are thought of by other staff throughout the organization Address issues before they become threats Reviewing and discussing issues before work begins helps to control costs, deliver on time, and position security as a friend to the organization Provide assurance to your executive team Addressing issues before they become threats allows us to focus on reacting to external threats