Evan Francen, President of FRSecure, discusses the challenges of building an efficient and effective security program in today’s world. Learn why most leaders have a false assumption of security, and how you can avoid the security mistakes most organizations make. - Delivered on 4/17/12 at TechPulse 2012.
Call Girls in Gomti Nagar - 7388211116 - With room Service
Information Security For Leaders, By a Leader
1. Information Security for
Leaders, From a Leader
TechPulse 2012 – April 17th, 2012
Presented by Evan Francen, President – FRSecure, LLC
http://www.frsecure.com | 952-467-6384
2. Introduction
Before we get started:
• This is not your typical presentation.
• What you have to say is as important as what I am
going to tell you.
• You are encouraged to participate!
I will ask you questions, if you don’t ask me some!
http://www.frsecure.com | 952-467-6384
3. Introduction
FRSecure
• Information security consulting company – it’s all
we do.
• Established in 2008 by people who have earned
their stripes in the field.
• We help small to medium sized organizations
solve information security challenges.
http://www.frsecure.com | 952-467-6384
4. Introduction
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
http://www.frsecure.com | 952-467-6384
5. Introduction
Topics
• What is information security?
• What do business leaders need to know?
• You’re in business to make money
• Understand risk and manage it
• How we help?
• Where should you start?
• Need Help? – Contact Us!
http://www.frsecure.com | 952-467-6384
6. When you think of information
security, how do you feel?
Be honest
http://www.frsecure.com | 952-467-6384
7. What is information
security?
This is really a question for you
http://www.frsecure.com | 952-467-6384
9. Information Security Is Not an IT Issue
The application of Administrative, Physical and Technical controls in an effort
to protect the Confidentiality, Integrity, and Availability of Information.
IT-centric information security over-emphasizes Technical Control, often at
the expense of Administrative and Physical Control.
IT-centric information security also places an over-emphasis on Availability of
systems, sometimes at the expense of Confidentiality and Integrity.
http://www.frsecure.com | 952-467-6384
10. It’s not compliance, but compliance is important
Today’s compliance landscape is confusing!
Federal Regulations:
• HIPAA, GLBA, FTC, ECPA, Computer Fraud and Abuse Act, etc.
State Regulations:
• Breach notification laws, data destruction laws, data protection laws
Industry Regulations:
• Payment Card Industry Data Security Standard (PCI-DSS)
Customer Regulations:
• Good luck!
http://www.frsecure.com | 952-467-6384
11. What do business leaders need to know?
Business leaders have ultimate responsibility for
information security
Due Care (aka “duty of care”):
• Provides a framework that helps to define a minimum standard of
protection that business stakeholders must attempt to achieve.
• Often reference the Prudent Man Rule, and require that the organization
engage in business practices that a prudent, right thinking, person would
consider to be appropriate.
• Businesses that are found to have not applied this minimum duty of care
can be deemed as having been negligent in carrying out their duties
http://www.frsecure.com | 952-467-6384
12. What do business leaders need to know?
Business leaders have ultimate responsibility for
information security
Due Diligence:
• Requires that an organization continually scrutinize their own practices to
ensure that they are always meeting or exceeding the requirements for
protection of assets and stakeholders
• Due diligence is the management of due care: it follows a formal process
• Persons are said to have exercised due diligence, and therefore cannot be
considered negligent, if they were prudent in their investigation of potential
risks and threats
http://www.frsecure.com | 952-467-6384
13. You are in business to make money
Sometimes information security professionals forget
this fact!
• Not all risks require mitigation/remediation
• Information security must be strategic
• Information security strategy must align with business strategy
• Avoid business vs. information security scenarios
• Information security controls should be as transparent as possible
http://www.frsecure.com | 952-467-6384
14. The Answer:
Understand Risk and Manage it.
• Risk is unique to your business and environment;
information security is not a one-size-fits-all solution
• Likelihood x Impact
• Risks change as your business environment changes
• There is no “easy button”
• You don’t need to know about every risk, but you must
know about the significant ones.
http://www.frsecure.com | 952-467-6384
15. How we help – Risk Assessment
http://www.frsecure.com | 952-467-6384
16. How we help – Risk Management (Build &
Manage)
http://www.frsecure.com | 952-467-6384
17. Where should you start?
Conduct a risk assessment
• Do it right
• Comprehensive
• Quantified/Measured/Scored
• Choose a standard
(ISO, NIST, COBIT, etc.)
http://www.frsecure.com | 952-467-6384
18. Where should you start?
Make Decisions
Once you understand your risks, You can:
decide what you want to do • Accept some risk
about them. • Mitigate some risk
• Transfer some risk
Where organizations get in trouble is in ignoring risks and/or
assuming that they don’t exist.
http://www.frsecure.com | 952-467-6384
19. Where should you start?
Your own information security risk management
program:
• Conduct Risk Assessment
• Make Decisions
• Plan Strategically
• Update Regularly
http://www.frsecure.com | 952-467-6384