1. Sorry Image Redacted for Privacy ______ Security Solutions

4. Overview: Gain Security Awareness When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security. ______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization. Presented by. Peleg Holzmann, CISSP

5. A few questions 1. What is your corporate vision for security? 2. Where are you today? 3. Where do you want to be? 4. How do we get there? 5. Did we get there? 6. How do we keep the momentum going? Presented by. Peleg Holzmann, CISSP

6. One Answer Sorry Image Redacted for Privacy We can help you answer all these questions! Presented by. Peleg Holzmann, CISSP

7. CIA Triangle Presented by. Peleg Holzmann, CISSP

8. Risk Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus - the percentage of risk mitigated by current controls plus + the uncertainty of the current knowledge of the vulnerability. Presented by. Peleg Holzmann, CISSP

9. Risk $1000 $25,000 Threat $1000 $200 Presented by. Peleg Holzmann, CISSP

10. Layered Approach– Defense in Depth Redundancy Security Planning (IR, DR, BC) Monitoring Systems Patches & Updates Education and Training Host IDS Firewalls Authorized Personnel Network IDS Information Network IPS Proxy Servers Systems Encryption Backups People Networks Policies and Laws Access Controls Internet Technology People Presented by. Peleg Holzmann, CISSP

11. Security Awareness Presented by. Peleg Holzmann, CISSP

12. Continual Service Improvement Presented by. Peleg Holzmann, CISSP

13. Typical Information Security Audit Procedure Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Requirements Presented by. Peleg Holzmann, CISSP

14. Requirements Continued InformationSecurity InformationSecurity Management System Standards / Frameworks (ISO 27000) Processes Policies Procedures Practices Accountability Compliance, Assurance, Audit Presented by. Peleg Holzmann, CISSP

16. SOX

17. GLBA

19. ISO 17799

20. COBIT

21. Etc.

22. Determine specific requirementsPresented by. Peleg Holzmann, CISSP

23. Step 1 – Example HIPPA Some areas which need to be addressed and documented would include: Physical Security Systems should be located in physically secure locations, whenever possible. Secure Locations Secure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security. Access Control Systems Access control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available. Media Destruction and Recycling Back-up Systems and Procedures Account Management and Access Review Emergency Access Disaster Recovery… Presented by. Peleg Holzmann, CISSP

24. Typical Information Security Audit Procedure Step 2: Prepare Project Plan Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Requirements Presented by. Peleg Holzmann, CISSP

25. Step 2 – Project Plan Utilizing Microsoft Project design and maintain a feasible and detailed project plan. Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met. Presented by. Peleg Holzmann, CISSP

26. Typical Information Security Audit Procedure Documentation Review Step 3: Gather Information & Identify Assets Step 2: Prepare Project Plan Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Interviews Requirements Presented by. Peleg Holzmann, CISSP

27. Step 3 – Gather Information Use tools, interviews and documentation review to analyze business risk profile. Presented by. Peleg Holzmann, CISSP

28. Step 3 – Gather Information - Interviews Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

29. Step 3 – Gather Information - Software Nessus Secunia Microsoft Baseline Security Analyzer (MBSA) Presented by. Peleg Holzmann, CISSP

30. Step 3 – Gather Information – Documentation Review Presented by. Peleg Holzmann, CISSP

31. Typical Information Security Audit Procedure Documentation Review Step 3: Gather Information & Identify Assets Step 2: Prepare Project Plan Step 4: Perform Risk Analysis Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Interviews Requirements Presented by. Peleg Holzmann, CISSP

32. Step 4 – Perform Risk Analysis Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus - the percentage of risk mitigated by current controls plus + the uncertainty of the current knowledge of the vulnerability. Presented by. Peleg Holzmann, CISSP

33. System Boundary System Functions Systems & Data Criticality System & Data Sensitivity Hardware Software System Interfaces Data & Information People System Mission History of system attacks Outside agency data Step 6: Impact Analysis Loss of CIA Threat Statement Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 7: Risk Determination Step 5: Likelihood determination Step 1: System Characterization Prior Risk Assessments Prior Audits Security Requirements Security Test Results List of Potential Vulnerabilities Current Controls Planned Controls List of current & planned controls Threat Source Motivation Threat Capacity Nature of Vulnerability Current Controls Impact Rating Mission impact analysis Asset criticality assessment Data criticality Data sensitivity Impact Ratings Likelihood of threat exploitation Magnitude of impact Adequacy of planned & Implemented controls Risk & Associated Risk Levels Presented by. Peleg Holzmann, CISSP

34. Step 4 – Perform Risk Analysis (Quantitative) Quantitative Approach (more detailed and longer time frame) Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) Annualized Loss Expectancy (ALE) SLE x ARO = ALE Cost Basis Analysis (CBA) Annualized Cost of Safeguard (ACS) CBA = ALE (prior) – ALE (Post) - ACS Presented by. Peleg Holzmann, CISSP

35. Step 4 – Perform Risk Analysis (Qualitative) Qualitative Approach (Faster and Cheaper) Low, Medium, High, Very High Assign a degree to the asset then create a RISK Matrix Chart similar to sample shown. Presented by. Peleg Holzmann, CISSP

36. Step 4 – Perform Risk Analysis At ______ we use both in combination: Quantitative and Qualitative to produce the most accurate risk matrix. Sorry Image Redacted for Privacy Quantitative Qualitative Presented by. Peleg Holzmann, CISSP

37. Step 4 – Perform Risk Analysis At ______ we use both in combination: Quantitative and Qualitative to produce the most accurate risk matrix. Identify Information Assets Implement Control Plan for Maintenance Vulnerability Worksheet Access Control Measure Risk to Asset Control Strategy And Plan Adequate Controls? Adequate Risk? YES NO YES NO Presented by. Peleg Holzmann, CISSP

38. Typical Information Security Audit Procedure Documentation Review Step 3: Gather Information & Identify Assets Step 5: Report Findings & Recommendations Step 2: Prepare Project Plan Step 4: Perform Risk Analysis Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Interviews Requirements Presented by. Peleg Holzmann, CISSP

39. Step 5 – Report Findings and Recommendations Presented by. Peleg Holzmann, CISSP

40. Typical Information Security Audit Procedure Documentation Review Step 6: Prepare Implementation Plan Step 3: Gather Information & Identify Assets Step 5: Report Findings & Recommendations Step 2: Prepare Project Plan Step 4: Perform Risk Analysis Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Interviews Requirements Presented by. Peleg Holzmann, CISSP

41. Step 6 – Implementation Plan Presented by. Peleg Holzmann, CISSP

42. Step 4 – Example of Patches and Vulnerabilities Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

43. Typical Information Security Audit Procedure Documentation Review Step 6: Prepare Implementation Plan Step 7: Continual Service Improvement Step 3: Gather Information & Identify Assets Step 5: Report Findings & Recommendations Step 2: Prepare Project Plan Step 4: Perform Risk Analysis Step 1.1: NIST/ISO Security Standards Step 1: Ascertain Applicable Laws Interviews Requirements Presented by. Peleg Holzmann, CISSP

44. Step 7: Continual Service Improvement Presented by. Peleg Holzmann, CISSP

45. Some Examples…. Presented by. Peleg Holzmann, CISSP

46. Firewall Rules Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

47. Wi-Fi Site Analysis Presented by. Peleg Holzmann, CISSP

48. Network Analysis Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

49. Documentation – MacAfee Epolicy Orchestrator Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

50. Patch / Change Management Report Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

51. Risk Assessment Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

52. Documentation Review / Audits Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

53. Documentation Work Area Recovery Recommendations Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

54. Documentation Business Impact Analysis (BIA) Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

55. Control Objective Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

56. Policy Document Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

57. Standards Document Sorry Image Redacted for Privacy Presented by. Peleg Holzmann, CISSP

58. We help you assemble your complete security solution Presented by. Peleg Holzmann, CISSP