Ayala "Security is an Enabler; Not Securing is an Inhibitor"

•

0 gostou•230 visualizações

National Information Standards Organization (NISO)

This presentation was provided by Daniel Ayala of Secratic during the NFAIS Forethought Strategic Summit "Transforming Systems Through Transformed Content." The event was held June 16-17, 2021.

Educação

SECURITY IS AN
ENABLER.
NOT SECURING
IS AN INHIBITOR.
NISO TRANSFORMING CONTENT THROUGH
TRANSFORMED SYSTEMS CONFERENCE
THURSDAY, 17 JUNE 2021
Daniel Ayala (@buddhake)
CISO/CPO, Managing Partner

Why is it important
for people to invest in
their systems?

Security in the
News
https://www.cisa.gov/coronavirus
https://www.ic3.gov/Media/News/2021/210316.pdf

https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
https://www.insidehighered.com/digital-learning/blogs/online-trending-now/rising-threat-ransomware-and-other-malware
The Rise of
Ransomware

https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

• Passwords and multifactor authentication
• Use your institution's single sign-on (SSO)
• Have an inventory of the systems you operate
• Know what software runs on those systems
• Patch your systems and software regularly
• Limit access to the things that people truly need
• Turn off systems when they are no longer used
• Turn off access when people leave the org
• Monitor your systems for changes from "normal"
• Educate users/patrons to risks on ongoing basis
"The Basics"

Maintain Security Proactively
(Not Just When Crisis Strikes)
• Bake security into your other development and operations planning
• Develop systems with commitments to 1 out of every X sprints being for longer term security
features, and Y% of each sprint being earmarked for tactical security fixes
• Design the resiliency of systems to include patching requirements more than 2x/year
• Share the idea that security costs much more (up to 100x*) to fix later than do earlier
• Complexity increases security. Try to normalise on technologies whenever possible
• Review source code before releasing technology and don't release with critical vulns
• Know your suppliers and dig into how they are securing their systems (which are also now
also your systems)
• Know (and practice) how you will respond when you get the call
that a breach has taken place.
• The mean time from disclosure to impact continues to shrink;
be ready to react in a similar timeframe.
* Source: IBM System Science Institute: Relative Cost of Fixing Defects, 2010

Considerations on Data
Data collection does not necessarily equal a
privacy violation
Just because you can doesn't mean you should.
Know what data flows in and out,
and ensure that it truly needs to do so

TWITTER
@buddhake
LINKEDIN
/in/danielaayala
EMAIL
daniel@secratic.com
Contact Information

Mais conteúdo relacionado

Mais procurados

Securing your IT infrastructure with SOC-NOC collaboration TWP

Sridhar Karnam

Bus2.0 - IT architecture

UNSW Canberra

Enterprise Wide IT Projects are Complex and strategic importance to organizations to sustain competitive advantage in the market place. High percentage of strategic initiatives fail due to poor project performance. This presentation highlights importance of leading Enterprise Wide Projects, instead just focusing on managing projects. The author discusses enterprise wide project relevance to PMI Knowledge Areas and essential leadership skills required to manage enterprise wide projects. The author also presents two project planning models organizations can use to improve enterprise wide project success.

Leading Enterprise Wide Projects

Kaali Dass PMP, PhD.

Technology Controls in Business - End User Computing

guestc1bca2

Today’s most innovative companies are swapping stringent hierarchical systems and silos in favor of knowledge work and integrated teams. The operating model of the future will develop into a dynamic and redundant team that can respond quickly to user needs and adhere to exhaustive testing practices. Here’s the question: Is your organization ready to make this change? During this webinar, Crystal Miceli, Ivanti's VP Product Marketing, hosted our special guest analyst, Charlie Betz, from Forrester Research, an expert in mediating hard-to-resolve discussions around incident management, release automation and chaos engineering. He examined the challenges of older IT modeling. He’ll also shared how infrastructure and operations (I&O) professionals can build agile systems that invest in continuous learning and are compatible with modern IT service management. This webinar will help you: .Articulate the issues around traditional IT organization models .Define how new processes can work in tandem with modern tech operations .Investigate mission-driven, product-centric operating models you can adopt .Establish a strategy for transforming your organization’s processes to meet new standards

The Future of Technology Operations

Ivanti

10 solution architecture concepts

Paul Preiss

Migrating Critical Applications to the Cloud - isaca seattle - sanitized

UnifyCloud

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized

Norm Barber

Far too often application security decisions are made in an ad hoc manner and based on little or no data. This leads to an inefficient allocation of scarce resources. To move beyond fear, uncertainty and doubt, organizations must adopt an approach to application risk management based on a structured process and quantitative data. This presentation outlines such an approach for organizations to enumerate all the applications in their portfolio. It then goes through background information to collect for each application to support further decision-making. In addition, the presentation lays out an application risk-ranking framework allowing security analysts to quantitatively categorize their application assets and then plan for assessment activities based on available budgets. This provides the knowledge and tools required for them to use the approach on the applications they are responsible for in their organization. Please email dan _at_ denimgroup dot com for a template spreadsheet and a how-to guide.

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Denim Group

2017 think - session 4085 - increase your agile velocity - integrate your d...

M Kevin McHugh

UniqueSoft Overview

bmskelly

Stu r35 a

SelectedPresentations

John_Rehmert

John Rehmert

HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement. Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...

Denim Group

End User Computing (EUC)

Jashisha Gupta

Core.co.enterprise.deck.06.16.10

Core Security Technologies

Effective Computing In Today’s World

Technecessities

Timothy Wilson_Resume_June_2015

Tim Wilson

Securing the Manufacturing Digital Thread

Frank Backes

Qualys user group presentation - vulnerability management - November 2009 v1 3

Tom King

Mais procurados (20)

Securing your IT infrastructure with SOC-NOC collaboration TWP

Bus2.0 - IT architecture

Leading Enterprise Wide Projects

Technology Controls in Business - End User Computing

The Future of Technology Operations

10 solution architecture concepts

Migrating Critical Applications to the Cloud - isaca seattle - sanitized

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

2017 think - session 4085 - increase your agile velocity - integrate your d...

UniqueSoft Overview

Stu r35 a

John_Rehmert

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...

End User Computing (EUC)

Core.co.enterprise.deck.06.16.10

Effective Computing In Today’s World

Timothy Wilson_Resume_June_2015

Securing the Manufacturing Digital Thread

Qualys user group presentation - vulnerability management - November 2009 v1 3

Semelhante a Ayala "Security is an Enabler; Not Securing is an Inhibitor"

Security Is an Enabler, Not Securing Is an Inhibitor

secratic

We began to see renewed innovation in the threat actor space in mid to late 2018. This trend has continued to surface in 2019. Threat actors (black hat hackers) have increasingly leveraged prior attacks, data collection and mining, and likely AI to create a new type of highly targeted, very sophisticated cyber attacks. Explore this new threat technique, prevention and detection strategies, and some of the most effective strategies to balance compliance and customer requirements with practical cyber security.

2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...

Internetwork Engineering (IE)

Cybersecurity.pptx

John Donahue

Cyber Resilience white paper 20160401_sd

Susan Darby

2019 Cyber Security Trends

Internetwork Engineering (IE)

"Evolving Cybersecurity Strategies" - Identity is the new security boundary

Dean Iacovelli

Do you know what threats are lurking in the shadows? Have you been compromised without even knowing about it? Most companies don't even know if their business has been subjected to attacks and even worse, may have lost sensitive data without knowing about it until it’s too late. The latest vulnerabilities highlight the extent and depth that hackers are adopting to steal your content or destroy trust in your brand. Our industry experts joining us for the presentation have a wealth of experience in robust security strategies and will be discussing the current online threat landscape, the most prominent approaches to security breaches and what you need to consider to protect your online presence from any potential malicious attacks. About Melbourne IT: Melbourne IT Enterprise Services designs, builds and operates custom cloud solutions for Australia’s leading enterprises. Its expert staff help enterprises solve business challenges and build cultures that enable organisations to use technology investments efficiently to improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. Many of the brands you already know and trust rely on Melbourne IT. For more information, visit www.melbourneitenterprise.com.au

Introduction to the Current Threat Landscape

Melbourne IT

We Are Instructor Led Online Training Hub.Get access to the world’s best learning experience at our online learning community where millions of learners learn cutting-edge skills to advance their careers, improve their lives, and pursue the work they love. We provide a diverse range of courses, tutorials, resume formats, projects based on real business challenges, and job support to help individuals get started with their professional career.

Cyber security for Developers

techtutorus

Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network. Go to www.esgjrconsultinginc.com

Toward Continuous Cybersecurity with Network Automation

E.S.G. JR. Consulting, Inc.

Toward Continuous Cybersecurity With Network Automation

Ken Flott

Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.

"Evolving cybersecurity strategies" - Seizing the Opportunity

Dean Iacovelli

CyCon 3.0 presentation- February 15, 2020 Successful digital transformations don’t begin with technology, they begin with people. As organizations adopt DevOps and cloud and realize the increased release velocity, ensuring the security of software and systems at the same velocity is a necessity but doing so isn’t easy. In this talk you will learn about common security challenges in DevOps and cloud and the skills cybersecurity professionals need to solve these challenges.

Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...

Troy Marshall

Cyber attackers are better funded, more focused, and more successful than ever. Making matters worse, defenders have more IT territory to protect, including public cloud, virtual infrastructure, mobile, Internet of Things, and an expanding list of users, applications, and data. An evolution in security strategies is underway; shifting from a preventive approach to one that is more balanced across prevention, monitoring, and response. In this session, we delve into key innovations that enable a more effective defense and how RSA’s NetWitness suite is delivering many of these innovations.

MT 117 Key Innovations in Cybersecurity

Dell EMC World

Law Firm Cybersecurity: Practical Tips for Protecting Your Data

Accellis Technology Group

This session will take a practical approach to IT risk management and discuss multi cloud, Verizon Data Breach Investigations Report (DBIR) and how Enterprises are losing ground in the fight against persistent cyber-attacks. We simply cannot catch the bad guys until it is too late. This picture is not improving. Verizon reports concluded that less than 14% of breaches are detected by internal monitoring tools. We will review the JP Morgan Chase data breach were hackers were in the bank’s network for months undetected. Network configuration errors are inevitable, even at the largest banks as Capital One that recently had a data breach where a hacker gained access to 100 million credit card applications and accounts. Viewers will also learn about: - Macro trends in Cloud security and Micro trends in Cloud security - Risks from Quantum Computing and when we should move to alternate forms of encryption - Review “Kill Chains” from Lockhead Martin in relation to APT and DDoS Attacks - Risk Management methods from ISACA and other organizations Speaker: Ulf Mattsson, Head of Innovation, TokenEx

Practical risk management for the multi cloud

Ulf Mattsson

Insights into cyber security and risk

Cyber Security is a protection offered to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). To read more visit: https://www.rangtech.com/blog/cybersecurity/cyber-security-what-is-it-and-what-you-need-to-know

CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf

Jenna Murray

In 2016 alone, over 4000 cyber attacks were reported globally – with many more never reported or even detected. Enterprises deploy security point solutions in the hopes of stopping a data breach, while savvy attackers work to exploit the whitespace between them. This session will explore how a connected approach to security, one where vendors are joining forces to specifically address the data breach problem, will eliminate the silos that make it possible for breaches to happen.

No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe

Core Security

Elastic's recommendation on keeping services up and running with real-time vi...

FaithWestdorp

Discuss how a successful organization should have the following layers of security in place for the protection of its operations: information security management, data security, and network security. Multiple Layers of Security Marlowe Rooks posted Mar 13, 2020 9:54 AM Looking at Vacca”s book chapter 1, “Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing (John R. Vacca, 2014)”. It is the organization responsibility to protect its business and its client information at all times. With that said I’m going to break down why companies need to have multiple layers of security and what types they should implement below. The first layer is Information security management which can be from Physical Security, or Personnel Security. Physical Security can range from physical items, objects, or areas from unauthorized access and misuse. Personnel Security is to protect the individual or group of individuals who are authorized to access the organization and its operations. Some of the reason to implement Information Security is as follow: · Decrease in downtime of IT systems · Decrease in security related incidents · Increase in meeting an organization's compliance requirements and standards · Increase in customer satisfaction, demonstrating that security issues are tackled in the most appropriate manner · Increase in quality of service · Process approach adoption, which helps account for all legal and regulatory requirements · More easily identifiable and managed risks · Also covers information security (IS) (in addition to IT information security) · Provides a competitive edge to an organization with the help of tackling risks and managing resources/processes The second layer would be Data Security which can be refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Data security includes data encryption, tokenization, and key management practices that protect data across all applications and platforms. Some of the reason to implement Data Security is as follow: · Cloud access security – Protection platform that allows you to move to the cloud securely while protecting data in cloud applications. · Data encryption – Data-centric and tokenization security solutions that protect data across enterprise, cloud, mobile and big data environments. · Web Browser Security - Protects sensitive data captured at the browser, from the point the customer enters cardholder or personal data, and keeps it protected through the ecosystem to the trusted host destination. · Mobile App Security - Protecting sensitive data in native mobile apps while safeguarding the data end-to-end. · eMai ...

Discuss how a successful organization should have the followin.docx

cuddietheresa

Semelhante a Ayala "Security is an Enabler; Not Securing is an Inhibitor" (20)

Security Is an Enabler, Not Securing Is an Inhibitor

2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...

Cybersecurity.pptx

Cyber Resilience white paper 20160401_sd

2019 Cyber Security Trends

"Evolving Cybersecurity Strategies" - Identity is the new security boundary

Introduction to the Current Threat Landscape

Cyber security for Developers

Toward Continuous Cybersecurity with Network Automation

Toward Continuous Cybersecurity With Network Automation

"Evolving cybersecurity strategies" - Seizing the Opportunity

Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...

MT 117 Key Innovations in Cybersecurity

Law Firm Cybersecurity: Practical Tips for Protecting Your Data

Practical risk management for the multi cloud

Insights into cyber security and risk

CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf

No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe

Elastic's recommendation on keeping services up and running with real-time vi...

Discuss how a successful organization should have the followin.docx

Mais de National Information Standards Organization (NISO)

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"

National Information Standards Organization (NISO)

Mattingly "AI & Prompt Design: The Basics of Prompt Design"

National Information Standards Organization (NISO)

Bazargan "NISO Webinar, Sustainability in Publishing"

National Information Standards Organization (NISO)

Rapple "Scholarly Communications and the Sustainable Development Goals"

National Information Standards Organization (NISO)

Compton "NISO Webinar, Sustainability in Publishing"

National Information Standards Organization (NISO)

Mattingly "AI & Prompt Design: Large Language Models"

National Information Standards Organization (NISO)

Hazen, Morse, and Varnum "Spring 2024 ODI Conformance Statement Workshop for ...

National Information Standards Organization (NISO)

Mattingly "AI & Prompt Design" - Introduction to Machine Learning"

National Information Standards Organization (NISO)

Mattingly "Text and Data Mining: Building Data Driven Applications"

National Information Standards Organization (NISO)

Mattingly "Text and Data Mining: Searching Vectors"

National Information Standards Organization (NISO)

Mattingly "Text Mining Techniques"

National Information Standards Organization (NISO)

Mattingly "Text Processing for Library Data: Representing Text as Data"

National Information Standards Organization (NISO)

Carpenter "Designing NISO's New Strategic Plan: 2023-2026"

National Information Standards Organization (NISO)

Ross and Clark "Strategic Planning"

National Information Standards Organization (NISO)

Mattingly "Data Mining Techniques: Classification and Clustering"

National Information Standards Organization (NISO)

Straza "Global collaboration towards equitable and open science: UNESCO Recom...

National Information Standards Organization (NISO)

Lippincott "Beyond access: Accelerating discovery and increasing trust throug...

National Information Standards Organization (NISO)

Kriegsman "Integrating Open and Equitable Research into Open Science"

National Information Standards Organization (NISO)

Mattingly "Ethics and Cleaning Data"

National Information Standards Organization (NISO)

Mercado-Lara "Open & Equitable Program"

National Information Standards Organization (NISO)

Mais de National Information Standards Organization (NISO) (20)

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"

Mattingly "AI & Prompt Design: The Basics of Prompt Design"

Bazargan "NISO Webinar, Sustainability in Publishing"

Rapple "Scholarly Communications and the Sustainable Development Goals"

Compton "NISO Webinar, Sustainability in Publishing"

Mattingly "AI & Prompt Design: Large Language Models"

Hazen, Morse, and Varnum "Spring 2024 ODI Conformance Statement Workshop for ...

Mattingly "AI & Prompt Design" - Introduction to Machine Learning"

Mattingly "Text and Data Mining: Building Data Driven Applications"

Mattingly "Text and Data Mining: Searching Vectors"

Mattingly "Text Mining Techniques"

Mattingly "Text Processing for Library Data: Representing Text as Data"

Carpenter "Designing NISO's New Strategic Plan: 2023-2026"

Ross and Clark "Strategic Planning"

Mattingly "Data Mining Techniques: Classification and Clustering"

Straza "Global collaboration towards equitable and open science: UNESCO Recom...

Lippincott "Beyond access: Accelerating discovery and increasing trust throug...

Kriegsman "Integrating Open and Equitable Research into Open Science"

Mattingly "Ethics and Cleaning Data"

Mercado-Lara "Open & Equitable Program"

Último

SOC 101 Demonstration of Learning Presentation

camerronhm

Basic Civil Engineering notes first year Notes Building notes Selection of site for Building Layout of a Building What is Burjis, Mutam Building Bye laws Basic Concept of sunlight ventilation in building National Building Code of India Set back or building line Types of Buildings Floor Space Index (F.S.I) Institutional Vs Educational Building Components & function Sills, Lintels, Cantilever Doors, Windows and Ventilators Types of Foundation AND THEIR USES Plinth Area Shallow and Deep Foundation Super Built-up & carpet area Floor Area Ratio (F.A.R) RCC Reinforced Cement Concrete RCC VS PCC

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx

Denish Jangid

Google Gemini An AI Revolution in Education.pptx

Dr. Sarita Anand

General Principles of Intellectual Property: Concepts of Intellectual Proper...

Poonam Aher Patil

Key note speaker Neum_Admir Softic_ENG.pdf

Admir Softic

ICT Role in 21st Century Education & its Challenges.pptx

AreebaZafar22

Python Notes for mca i year students osmania university.docx

Ramakrishna Reddy Bijjam

FSB Advising Checklist - Orientation 2024

Elizabeth Walsh

Application orientated numerical on hev.ppt

RamjanShidvankar

Food safety_Challenges food safety laboratories_.pdf

Sherif Taha

ICT role in 21st century education and it's challenges.

MaryamAhmad92

Fostering Friendships - Enhancing Social Bonds in the Classroom

Pooky Knightsmith

Towards a code of practice for AI in AT.pptx

Jisc

Salient Features of India constitution especially power and functions

KarakKing

Spellings Wk 3 English CAPS CARES Please Practise

AnaAcapella

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Nguyen Thanh Tu Collection

The basics of sentences session 3pptx.pptx

heathfieldcps1

Spatium Project Simulation student brief

Association for Project Management

Graduate Outcomes Presentation Slides - English

neillewis46

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

Esquimalt MFRC

Ayala "Security is an Enabler; Not Securing is an Inhibitor"

1. SECURITY IS AN ENABLER. NOT SECURING IS AN INHIBITOR. NISO TRANSFORMING CONTENT THROUGH TRANSFORMED SYSTEMS CONFERENCE THURSDAY, 17 JUNE 2021 Daniel Ayala (@buddhake) CISO/CPO, Managing Partner

2. Why is it important for people to invest in their systems?

3. Confidentiality Integrity Availability

4. Security in the News https://www.cisa.gov/coronavirus https://www.ic3.gov/Media/News/2021/210316.pdf

5. https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack https://www.insidehighered.com/digital-learning/blogs/online-trending-now/rising-threat-ransomware-and-other-malware The Rise of Ransomware

6. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

7. Back to Basics

8. • Passwords and multifactor authentication • Use your institution's single sign-on (SSO) • Have an inventory of the systems you operate • Know what software runs on those systems • Patch your systems and software regularly • Limit access to the things that people truly need • Turn off systems when they are no longer used • Turn off access when people leave the org • Monitor your systems for changes from "normal" • Educate users/patrons to risks on ongoing basis "The Basics"

9. Maintain Security Proactively (Not Just When Crisis Strikes) • Bake security into your other development and operations planning • Develop systems with commitments to 1 out of every X sprints being for longer term security features, and Y% of each sprint being earmarked for tactical security fixes • Design the resiliency of systems to include patching requirements more than 2x/year • Share the idea that security costs much more (up to 100x*) to fix later than do earlier • Complexity increases security. Try to normalise on technologies whenever possible • Review source code before releasing technology and don't release with critical vulns • Know your suppliers and dig into how they are securing their systems (which are also now also your systems) • Know (and practice) how you will respond when you get the call that a breach has taken place. • The mean time from disclosure to impact continues to shrink; be ready to react in a similar timeframe. * Source: IBM System Science Institute: Relative Cost of Fixing Defects, 2010

10. Considerations on Data Data collection does not necessarily equal a privacy violation Just because you can doesn't mean you should. Know what data flows in and out, and ensure that it truly needs to do so

11. TWITTER @buddhake LINKEDIN /in/danielaayala EMAIL daniel@secratic.com Contact Information

Ayala "Security is an Enabler; Not Securing is an Inhibitor"

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Ayala "Security is an Enabler; Not Securing is an Inhibitor"

Semelhante a Ayala "Security is an Enabler; Not Securing is an Inhibitor" (20)

Mais de National Information Standards Organization (NISO)

Mais de National Information Standards Organization (NISO) (20)

Último

Último (20)

Ayala "Security is an Enabler; Not Securing is an Inhibitor"