Designing & Building an Information Security Program. To protect our critical assets

Designing & Building an

Information Security Program

Instructor Biography

Larry Wilson is responsible for developing, implementing and managing the University of Massachusetts Information Security Policy and Written Information Security Program (WISP). The University program is based on industry best practices ISO 27001 / SANS 20 Critical Controls, and is implemented consistently across all University campuses (Amherst, Boston, Dartmouth, Lowell, Medical School and the President’s Office).

Prior to joining UMASS, Larry was the Vice President, Network Security Manager at State Street. His responsibilities included researching, selecting, implementing and overseeing an engineering and operations team who managed network security technologies / tools including vulnerability scanning, network firewalls, intrusion detection, content filtering, remote access, DNS, global and local load balancing, etc.

Larry's industry experience includes IT audit manager for Deloitte Enterprise Risk Services (ERS) consulting practice. In this role he managed a staff responsible for developing and completing a Sarbanes Oxley (SOX) compliance audit for MasterCard International. Larry's team focused on the application level controls and general computer controls for information technology services implemented and managed from the MasterCard data center in St. Louis.

Mr. Wilson holds a Master of Science degree in Civil / Structural Engineering from the University of New Hampshire. His industry certifications include CISSP, CISA and ISA (PCI Internal Security Assessor). He serves on the Advisory Board for Middlesex Community College and CISO Advisory Board for Oracle. He co-chairs the New England Security Council (NESC), and is the Certification Director for ISACA New England.

This presentations will cover the essential elements for planning, designing, budgeting, implementing,

maintaining and assessing a comprehensive information security program.

A high-level outline includes:



Part 1: Information Security Fundamentals



Part 2: Protecting organizational assets through security controls



Part 3: Information Security Program Design and Business Case

The course is based on the University of Massachusetts Information Security Program, which was the 2013

Information Security Executive (ISE®) North America Project Award Winner- Academic/Public Sector Category.

This presentation will include Part 1 Only……

Designing and Building an Information Security Program

Part 1: The Fundamentals



Understand the Problem



Understand the Challenges



Understand the Risks



Understand the Vulnerabilities



Understand the Threats



Understand the Assets



Understand the Controls



Understand the Technologies



Understand the Services



Understand the Resources



Understand the Solution



Putting it all Together



Building the Controls Factory

Data breaches hit an all time high in 2013 ….

Target, Neiman Marcus, and Adobe



This past year was pretty rough for them



Could they have done anything to avoid the security breaches?



Yes, according to Online Trust Alliance (OTA)'s latest report



Companies should have better security controls and practices

What Was Discovered



Over 740 million records were exposed in 2013 alone.



Making it the worst year for data breaches to date.



89 % could have been prevented - If companies had simply employed

basic, effective security measures.

South Carolina Department of Revenue Data Breach (October 2012)

A hacker exfiltrated 5.7 million Social Security numbers and 387,000 credit and

debit card numbers from an external cyber attack.

What Went Wrong?

“Where do we go from here? We now have to go into cyber plan mode. This is a

new era in time where you can’t work with 1970s equipment, you can’t go with

compliance standards of the federal government, because both are outdated.”

- Nikki Haley, Governor of South Carolina

Cost of Recovery Estimates

Deloitte Security Assessment (2013)



FY-13 – $ 20 M (Loan to Department of Revenue for response to hacking)



FY 14 - $ 15 M (Initial Deloitte Security Assessment – May, 2013)



FY 15 - $ 21 M (Interim Deloitte Security Assessment – October, 2013)

…. Organizations are held accountable

Businesses rely on IT to meet strategic objectives

 Pervasive spread of new technologies (cloud, mobility, virtualization)  We need to provide the “right” information, at the “right” time, in the

“right” format, to the “right” parties, at the “right” cost

At risk of hackers, malware, unauthorized access, data breach

 There are new vulnerabilities, threats, unprotected assets

 Data breaches have consequences - management is held accountable  We must design and implement security controls to mitigate risk  And protect our critical IT assets and information resources

Information is everywhere - data centers, the cloud, mobile devices

 The attack surface is exploding.  We need to be flexible to adjust.

There’s a lot riding here - It’s the business - we need to get this right

The Internet of Things (Assets) …..

Understand the Challenges

Understand the Challenges

…. are at Risk from Security Threats

Risk Threats = Controls Asset Value X Vulnerabilities X

The Risk Equation

How do we calculate risk?

 Risk is based on the likelihood and impact of a security incident or data breach  Threats involve the potential attack against IT assets or information resources

 Vulnerabilities are weaknesses that could be exploited by a threat

 Asset Value is based on criticality of IT resources and information assets (aka things)  Controls are safeguards that protect IT resources and information assets

Understand the Risks

Understand the Vulnerabilities

These are some of the vulnerabilities…….

10 Paper Records _{Database Vulnerabilities}

EOL Software

Unpatched Systems

(outdated software) Web Application Vulnerabilities Default Passwords Lost Data

Software Vulnerabilities

Weak Passwords

Phishing E-mails Mobile Devices

Cloud Computing Network Vulnerabilities

Local Admin Permissions Lost Tape Drive

Password Reset

Social Engineering

Misconfigured Firewall Lost or Stolen Device

Understand the Threats

Understand the Assets

These are the assets (human assets, technology assets, information assets) that we need to protect…..

Mobile Applications Corporate (Trusted)

Networks

File Systems Structured Data Mobile Devices

CAG-05

CAG-06 CAG-07

Databases Data Center Systems Cloud Computing

Unstructured Data

Privileged Users Laptop

Vendor / Contractor Hosted Applications Network Applications Internet (Untrusted) Networks Document Images Research Data

Credit Card Number

Social Security Numbers Business

Applications

Drivers License

Intellectual Property

Bank Account _{Critical Infrastructure} Employee

Understand the Controls

Understand the Technologies

Understand the Services

Understand the Resources

These are the management, technical, operational, administrative resources run the program……

Business Management Executive Management IT Management

Program Operations Team Desktop Support Team

Security Engineer Security Administrator

Security Architect

Data Custodian InfoSec Officer Executive & Senior

Management

Security Program Management

Business Process Owner

Security Program Design

Systems Engineer

Network

Engineer Applications Engineer

Security Program Operations

Systems

Operations Operations Network Operations Security MSSP

Audit / Advisory Program Management Team

Program Design Team

Budget Office

Security Program Administration

Understand the Solution

Our Managed Assets

ARE

protected

Identify and secure our managed assets

 Security professionals understand why security breaches occur

Our portfolio of managed assets Identifying and securing our unmanaged assets

 There are undetected problems – not seen, not reported

Our Unmanaged Assets

ARE NOT

protected

Putting it all Together

These are the assets ………..

_{These are the controls….}

Information Assets Human Assets

Management & Communications

Controls

These are the managed assets

Cyber-security Controls General Computer Controls

Technology Assets _{Cyber-security}

Controls General Computer Controls Managed Asset

Asset Lifecycle Administration

Asset Lifecycle Administration

Building The Controls Factory Endpoint Unknown Asset ASSET LIFECYCLE ADMINISTRATION [ALA] CYBER-SECURITY CONTROLS [CSC] GENERAL COMPUTER CONTROLS [GCC] Program Management Team Controls Factory The Pipeline Program Engineering Team Program Operations Team Program Administration Team Known

Asset Known Asset

Known

Asset Known Asset Managed Asset

MANAGEMENT CONTROLS [MGT]