This presentation was provided by Daniel Ayala of Secratic during the NFAIS Forethought Strategic Summit "Transforming Systems Through Transformed Content." The event was held June 16-17, 2021.
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
Ayala "Security is an Enabler; Not Securing is an Inhibitor"
1. SECURITY IS AN
ENABLER.
NOT SECURING
IS AN INHIBITOR.
NISO TRANSFORMING CONTENT THROUGH
TRANSFORMED SYSTEMS CONFERENCE
THURSDAY, 17 JUNE 2021
Daniel Ayala (@buddhake)
CISO/CPO, Managing Partner
2. Why is it important
for people to invest in
their systems?
8. • Passwords and multifactor authentication
• Use your institution's single sign-on (SSO)
• Have an inventory of the systems you operate
• Know what software runs on those systems
• Patch your systems and software regularly
• Limit access to the things that people truly need
• Turn off systems when they are no longer used
• Turn off access when people leave the org
• Monitor your systems for changes from "normal"
• Educate users/patrons to risks on ongoing basis
"The Basics"
9. Maintain Security Proactively
(Not Just When Crisis Strikes)
• Bake security into your other development and operations planning
• Develop systems with commitments to 1 out of every X sprints being for longer term security
features, and Y% of each sprint being earmarked for tactical security fixes
• Design the resiliency of systems to include patching requirements more than 2x/year
• Share the idea that security costs much more (up to 100x*) to fix later than do earlier
• Complexity increases security. Try to normalise on technologies whenever possible
• Review source code before releasing technology and don't release with critical vulns
• Know your suppliers and dig into how they are securing their systems (which are also now
also your systems)
• Know (and practice) how you will respond when you get the call
that a breach has taken place.
• The mean time from disclosure to impact continues to shrink;
be ready to react in a similar timeframe.
* Source: IBM System Science Institute: Relative Cost of Fixing Defects, 2010
10. Considerations on Data
Data collection does not necessarily equal a
privacy violation
Just because you can doesn't mean you should.
Know what data flows in and out,
and ensure that it truly needs to do so