SlideShare a Scribd company logo
1 of 13
Download to read offline
User Briefing
                             Convergence of Security
                                       Bob Radvanovsky, Infracritical
                  Allan McDougall, Evolutionary Security Management
                                                              October 20-21, 2008
                                                Midwest Information Security Forum
                                                                       Chicago, IL
The contents of this presentation are confidential and intended solely for
use by forum participants. Copyright © 2008 IANS . All rights reserved.
Introduction

    About Infracritical and Evolutionary Security Management
     Infracritical and ESM were formed as a result of the need to establish and
      define standards and protocols for Critical Infrastructure Protection (CIP).
     We’re one of the industrial leaders within the private sector, providing research
      to management, best practice capabilities, education and training, information
      sharing practices, and (most importantly) information security awareness
      programs to both private and public sectors throughout the United States,
      Canada and North America.

    About Bob Radvanovsky and Allan McDougall
     Experienced in Critical Infrastructure Protection (CIP), visionaries, speakers,
      and published authors on the subject (Bob: 4 books, Allan: 2 books).




                                                  2008 Midwest Information Security Forum   1
Convergence of Physical and Logical Infrastructure

      Physical Security infrastructure (access control systems, CCVE, etc) has
       traditionally operated in isolation from other systems in order to maintain the
       confidence that the system has not been compromised.

       –   As these systems become web-enabled, there is increasing concern that
           they can be subject to compromises such as hacking, spoofing, etc.

       –   As these systems take up space within the network infrastructure, there is
           increasing concern that network assets are becoming single points of
           failure that can expose the whole organization to compromise.

       –   Finally, there is increasing concern that as the complexity of these physical
           security systems increase, they can occupy increasing amounts of network
           resources (bandwidth) and become a business limiter.




                                                     2008 Midwest Information Security Forum   2
Convergence of Physical and Logical Infrastructure

    Consider this diagram of a
     network enabled CCTV
     system spanning several
     locations

    Each element assigned an IP

    Do these infrastructure points
     allow for an attacker to control
     the infrastructure point or gain
     access through the
     infrastructure point?




                                        2008 Midwest Information Security Forum   3
Solution Strategy

      Build awareness and integrate Physical Security and IT Security communities
       into a common Asset Protection community paying particular attention to
       building a comprehensive awareness and capacity of personnel to work across
       domains.

       –   Put forward a plausible vision

       –   Manage expectations

       –   Set achievable goals

       –   Maximize the ability to first anticipate then detect and respond to emerging
           issues




                                                    2008 Midwest Information Security Forum   4
Key Steps

     Key Activities:
      –   A – Cross train personnel to build awareness
      –   B – Small scale projects to build and proof interaction between communities
      –   C – Ensure expert-driven contributions to improve effectiveness, reduce
          waste and identify possible avenues of risk


     Key Resources
      –   Visionary leadership
      –   Cross training up to cross certification integrated into job expectations
      –   Small scale test environment isolated from critical systems




                                                    2008 Midwest Information Security Forum   5
Results

     Security personnel more aware of situations that allow the means and
      opportunity for threat agents to compromise the organization

     Greater granularity of understanding of infrastructure at the enterprise level

     Greater ability to achieve domain awareness in terms of facility security and
      trend analysis through automation




                                                    2008 Midwest Information Security Forum   6
Lesson #1: Manage Expectations

     Just because technology exists doesn’t mean it’s appropriate to your
      environment
      – Security intrinsic to system commensurate to assets being protected
      – Tested, certified, or accredited?

     Put a check and balance on new technology acquisitions ensuring that they are
      being proposed based on business lines
      – New technology should be linked to improvements in business processes
         or reductions in overhead
      – Closely monitor communities that constantly attempt to install the “latest
         and greatest”

     Unnecessary collections of shiny things only attract trouble




                                                   2008 Midwest Information Security Forum   7
Lesson #2: Set a Central Change Management Authority

     Senior Management Support
      – Early step in the consultation process
      – Mandatory step in approval process

     Check and balance for integration of new technologies
      – Consistency (procurement, maintenance and disposal)
      – Modularity to ensure granularity (detail) and interoperability (compatibility)
      – Scalability in support of changing and evolving business requirements

     Management of change means appropriately integrating tools to improve
      efficiency and effectiveness




                                                   2008 Midwest Information Security Forum   8
Lesson #3: Balance the Team

     Do not allow Physical Security or IT Security to dominate
      – Symbiosis under the need to ensure effective and efficient business
         processes
      – Take advantage of knowledge bases across communities to ensure best
         possible solution

     Appropriate Delegation
      – Prevent decisions without understanding risk
      – Ensure risk management includes consideration for all potentially impacted
         parties (including system and data owners where appropriate)

     Reinforce the concept of individual success is dependent upon team success




                                                2008 Midwest Information Security Forum   9
Lesson #4: Integrate Process Models for Integration

      Similar to the COBIT Model
       – Plan and Organize based on business needs and ensuring the ability to
          prevent, detect, respond to and recover from security events
       – Acquire and Implement to ensure that modularity and scalability
          maintained while not exposing critical infrastructure to unknown risks
       – Deliver and Support using personnel who understand physical and logical
          risks so that internal actions do not create unknown vulnerabilities
       – Monitor and Evaluate the performance of the system against system
          performance criteria commensurate to the sensitivity of assets involved

      Remember that process is there to serve a purpose, not to be the purpose




                                                 2008 Midwest Information Security Forum   10
Lesson #5: Understand that Knowledge is Power

     Awareness in Management of key issues
      – What is real and what is visionary

     Cross training of experts to minimize conflicts of ideologies and maximize
      understanding
      – Definition bases
      – Core concepts and models
      – Due diligence

     Impose continuous learning and professional development
      – Do not allow complacency
      – When you’re green you’re ripe, when you’re ripe you’re rotten

     You need to understand that administration, management and leadership are
      complimentary but not the same thing


                                                  2008 Midwest Information Security Forum   11
Contact Information
Bob Radvanovsky, CIFI, CISM, CIPS
    rsradvan@infracritical.com

  Allan McDougall, PCIP, CMAS
amcdougall@evolutionarysecurity.ca




                    2008 Midwest Information Security Forum   12

More Related Content

What's hot

Risk management
Risk managementRisk management
Risk managementkalli007
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Janghyuck Choi
 
Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...
Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...
Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...Microsoft Private Cloud
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReportfinance40
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
WP82 Physical Security in Mission Critical Facilities
WP82   Physical Security in Mission Critical FacilitiesWP82   Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesSE_NAM_Training
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Erik Ginalick
 

What's hot (20)

Risk management
Risk managementRisk management
Risk management
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspekti
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
 
BSI 100-30
BSI 100-30BSI 100-30
BSI 100-30
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016
 
Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...
Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...
Microsoft Forefront - Help Securely Enable Business by Managing Risk and Empo...
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReport
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
WP82 Physical Security in Mission Critical Facilities
WP82   Physical Security in Mission Critical FacilitiesWP82   Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical Facilities
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
 

Similar to IANS-2008

Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know   john chowdhury 2012 finalSecurity and smart grid what you need to know   john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalJohn Chowdhury
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network  security [10 is835]-solutionIse viii-information and network  security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Security Strategies for Success
Security Strategies for SuccessSecurity Strategies for Success
Security Strategies for SuccessCitrix
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...360 BSI
 
Enterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorEnterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorCONFENIS 2012
 
LPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT productsLPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT productsDigital Catapult
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security NextLabs, Inc.
 

Similar to IANS-2008 (20)

Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know   john chowdhury 2012 finalSecurity and smart grid what you need to know   john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 final
 
information security management
information security managementinformation security management
information security management
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network  security [10 is835]-solutionIse viii-information and network  security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pb
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Security Strategies for Success
Security Strategies for SuccessSecurity Strategies for Success
Security Strategies for Success
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
 
Enterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorEnterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking Sector
 
LPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT productsLPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT products
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security
 

More from Bob Radvanovsky

Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Bob Radvanovsky
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Bob Radvanovsky
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE PresentationBob Radvanovsky
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...Bob Radvanovsky
 
CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'Bob Radvanovsky
 
U.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionU.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionBob Radvanovsky
 
CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)Bob Radvanovsky
 
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)Bob Radvanovsky
 
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Bob Radvanovsky
 

More from Bob Radvanovsky (11)

Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
 
CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'
 
U.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionU.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran Mission
 
CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)
 
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
 
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)
 
ACS-2010
ACS-2010ACS-2010
ACS-2010
 
ABA-ISC-2009
ABA-ISC-2009ABA-ISC-2009
ABA-ISC-2009
 

Recently uploaded

Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
Slicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinSlicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinAnton Skornyakov
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarNathanielSchmuck
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 

Recently uploaded (20)

Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
Slicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinSlicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup Berlin
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry Webinar
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 

IANS-2008

  • 1. User Briefing Convergence of Security Bob Radvanovsky, Infracritical Allan McDougall, Evolutionary Security Management October 20-21, 2008 Midwest Information Security Forum Chicago, IL The contents of this presentation are confidential and intended solely for use by forum participants. Copyright © 2008 IANS . All rights reserved.
  • 2. Introduction About Infracritical and Evolutionary Security Management  Infracritical and ESM were formed as a result of the need to establish and define standards and protocols for Critical Infrastructure Protection (CIP).  We’re one of the industrial leaders within the private sector, providing research to management, best practice capabilities, education and training, information sharing practices, and (most importantly) information security awareness programs to both private and public sectors throughout the United States, Canada and North America. About Bob Radvanovsky and Allan McDougall  Experienced in Critical Infrastructure Protection (CIP), visionaries, speakers, and published authors on the subject (Bob: 4 books, Allan: 2 books). 2008 Midwest Information Security Forum 1
  • 3. Convergence of Physical and Logical Infrastructure  Physical Security infrastructure (access control systems, CCVE, etc) has traditionally operated in isolation from other systems in order to maintain the confidence that the system has not been compromised. – As these systems become web-enabled, there is increasing concern that they can be subject to compromises such as hacking, spoofing, etc. – As these systems take up space within the network infrastructure, there is increasing concern that network assets are becoming single points of failure that can expose the whole organization to compromise. – Finally, there is increasing concern that as the complexity of these physical security systems increase, they can occupy increasing amounts of network resources (bandwidth) and become a business limiter. 2008 Midwest Information Security Forum 2
  • 4. Convergence of Physical and Logical Infrastructure  Consider this diagram of a network enabled CCTV system spanning several locations  Each element assigned an IP  Do these infrastructure points allow for an attacker to control the infrastructure point or gain access through the infrastructure point? 2008 Midwest Information Security Forum 3
  • 5. Solution Strategy  Build awareness and integrate Physical Security and IT Security communities into a common Asset Protection community paying particular attention to building a comprehensive awareness and capacity of personnel to work across domains. – Put forward a plausible vision – Manage expectations – Set achievable goals – Maximize the ability to first anticipate then detect and respond to emerging issues 2008 Midwest Information Security Forum 4
  • 6. Key Steps  Key Activities: – A – Cross train personnel to build awareness – B – Small scale projects to build and proof interaction between communities – C – Ensure expert-driven contributions to improve effectiveness, reduce waste and identify possible avenues of risk  Key Resources – Visionary leadership – Cross training up to cross certification integrated into job expectations – Small scale test environment isolated from critical systems 2008 Midwest Information Security Forum 5
  • 7. Results  Security personnel more aware of situations that allow the means and opportunity for threat agents to compromise the organization  Greater granularity of understanding of infrastructure at the enterprise level  Greater ability to achieve domain awareness in terms of facility security and trend analysis through automation 2008 Midwest Information Security Forum 6
  • 8. Lesson #1: Manage Expectations  Just because technology exists doesn’t mean it’s appropriate to your environment – Security intrinsic to system commensurate to assets being protected – Tested, certified, or accredited?  Put a check and balance on new technology acquisitions ensuring that they are being proposed based on business lines – New technology should be linked to improvements in business processes or reductions in overhead – Closely monitor communities that constantly attempt to install the “latest and greatest”  Unnecessary collections of shiny things only attract trouble 2008 Midwest Information Security Forum 7
  • 9. Lesson #2: Set a Central Change Management Authority  Senior Management Support – Early step in the consultation process – Mandatory step in approval process  Check and balance for integration of new technologies – Consistency (procurement, maintenance and disposal) – Modularity to ensure granularity (detail) and interoperability (compatibility) – Scalability in support of changing and evolving business requirements  Management of change means appropriately integrating tools to improve efficiency and effectiveness 2008 Midwest Information Security Forum 8
  • 10. Lesson #3: Balance the Team  Do not allow Physical Security or IT Security to dominate – Symbiosis under the need to ensure effective and efficient business processes – Take advantage of knowledge bases across communities to ensure best possible solution  Appropriate Delegation – Prevent decisions without understanding risk – Ensure risk management includes consideration for all potentially impacted parties (including system and data owners where appropriate)  Reinforce the concept of individual success is dependent upon team success 2008 Midwest Information Security Forum 9
  • 11. Lesson #4: Integrate Process Models for Integration  Similar to the COBIT Model – Plan and Organize based on business needs and ensuring the ability to prevent, detect, respond to and recover from security events – Acquire and Implement to ensure that modularity and scalability maintained while not exposing critical infrastructure to unknown risks – Deliver and Support using personnel who understand physical and logical risks so that internal actions do not create unknown vulnerabilities – Monitor and Evaluate the performance of the system against system performance criteria commensurate to the sensitivity of assets involved  Remember that process is there to serve a purpose, not to be the purpose 2008 Midwest Information Security Forum 10
  • 12. Lesson #5: Understand that Knowledge is Power  Awareness in Management of key issues – What is real and what is visionary  Cross training of experts to minimize conflicts of ideologies and maximize understanding – Definition bases – Core concepts and models – Due diligence  Impose continuous learning and professional development – Do not allow complacency – When you’re green you’re ripe, when you’re ripe you’re rotten  You need to understand that administration, management and leadership are complimentary but not the same thing 2008 Midwest Information Security Forum 11
  • 13. Contact Information Bob Radvanovsky, CIFI, CISM, CIPS rsradvan@infracritical.com Allan McDougall, PCIP, CMAS amcdougall@evolutionarysecurity.ca 2008 Midwest Information Security Forum 12