Security Across the yOrganization

Paul JonesCIO – Clerk & Comptroller Palm Beach County

CISSP ITIL Expert Security+ Project+CISSP, ITIL Expert, Security+, Project+

1

Objectives:

• Organization wide security

IT’s role• IT’s role

• Security awareness

• Risks and liabilities

• The three tiers

• Leadership support

• The life cycle

The Paradigm Shift

Drives

Strategic TechnologyStrategic Alignment Organization Technology

Security

Enables

Tewksbury police pay hacker $500

Philadelphia IRS OPM

Breaches, breaches everywhere

pay hacker $500 ransom to decrypt

files

City Council website hacked after election

OPM B h #1

IRS610,000

Slack500 000

OPM Breach #221,500,000

Adult F i d

Cities probe

Breach #14,000,000

Ashley

Uber50,000

500,000Friend Finder

3,900,000 MSpy400,000

British Cities probe worker email

addresses linked to Ashley Madison

siteJapan

AirlinesPremera

Madison37,000,000

A t li

Airways“Tens of

Thousands”

Columbia city

baltimorecity.govoffline 16 hrs

Airlines750,000

Premera11,000,000

Carefirst1,100,000

Community

Australian Immigration“Unknown”

website offline 13 hours

Community Health Service

4,500,000

DCF200,000

The Security Chess GameMALWARE & VIRUSES

PHISHING

SOCIAL ENGINEERING

PHISHING

RANSOMWARE

PATCHES

PHYSICAL SECURITY

image source: mangosalaute com

THE ODDS ARE WORKING DENIAL of SERVICE

INSIDER THREATS

image source: mangosalaute.com

5

AGAINST YOU!MISUSE

“A new study reveals that more than 8 out of 10 (88%) companies surveyed admit

Misconception – “Security is an IT thing”their organization experienced a significant security event in the last twelve months with as many a 73% of the companies indicating that the cause was insiders” (The Norris Corporation, 2015)

““While shadowy hackers in Eastern Europe often get the blame for these attacks, more than80% of the breaches that Bruemmer's group works with had a root cause in employeenegligence” (Michael Bruemmer, Experian's data breach resolution group, 2015)

Internal disclosures• Disgruntled employee • Social engineering scams• Phishing scams • Human errors • Privilege escalation

www.mypalmbeachclerk.com

Privilege escalation

The Balancing Act

• Ease of UseM i t

• Compliance• Stability• Maintenance

• Speed to Delivery • Cost Cutting• Simplicity

• Stability • Quality • Availability • Functionality• Simplicity

• Reactive • Get-R-Done• Invisible Success

Functionality• Proactive • Customer Service• Visible Issues Invisible Success

Risk Mitigation

Legal Risks

Financial RisksRegulatory Risk

Political Risks Compliance Risks

Resource Risks Credibility Risks

Reducing Liability“If an organization does not practice due care and due diligence g p gpertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence” (Harris, 2010, p. 110)

Due Diligence is the act of continuallyDue Diligence is the act of continually investigating and understanding the risks and vulnerabilities the organization faces. Reducing

Liability

Due Care is implementing security policies, procedures, standards and countermeasures to provide protection from those threats.p p

The Three Tiers Above and Beyond the Technical

THE TECHNICAL LAYER - deals with putting in place the technical infrastructure designed to recognize and preventtechnical infrastructure designed to recognize and prevent breaches from occurring.

TECHNICAL

THE ADMINISTRATIVE LAYER deals with having in place

ADMINISTRATIVE

THE ADMINISTRATIVE LAYER - deals with having in place security policies, procedures, and processes designed to lay a foundation for managing and administering security across the organization.

THE GOVERNANCE LAYER - deals with the ongoing verification and validation of all security system implementations, including

10

GOVERNANCE both the technical and administrative functions

Leadership Support Senior leader buy in (make security important)• Senior leader buy-in (make security important)

• Communicate and educate at all levels

• Create a culture of security awarenessCreate a culture of security awareness

• Establish strong governance (what you permit you promote)

• Incorporate all three tiers (technical, Admin, Compliance) p ( , , p )

• Trust but verify (external audits)

• Be prepared for the worst (incident response plan)

• Define responsibility and accountability at all levels

• Demand continual improvement

• Reward and recognize

11

Setting DirectionSecurity strategy

Security Life Cycle

SecurityStrategy

Building in ResilienceBusiness continuityManagement, disasterRecovery, crisismanagement

development, organization design, management reporting

SecurityGovernance

& Control

Business Continuity

Management

management Creating a Sound Framework of ControlRisk, policy and privacy review, regulatory compliance assessment, data loss preventionM i I id t

Incident Response &

Forensic Investigation Architecture,

Threat & Vulnerability Management

data loss prevention, awareness programsManaging Incidents

Incident response review, corporate and regulatoryInvestigations and readinesscrisis response

Network Security &

IdentityBuilding Secure Systems & InfrastructureS it hit t t k it

Managing ExposurePenetration testing, vulnerability scanning and remediation, continuous

12

Security architecture, network security, cloud computing security, identify and access management solutions, ERP security

and global threat monitoring

ResourcesMulti-State Information Sharing & Analysis CenterMulti-State Information Sharing & Analysis Centerhttp://msisac.cisecurity.org/

Cyber Security Guideshttp://msisac.cisecurity.org/resources/guides/

SANS Information Security Policy Templateshttp://www.sans.org/security-resources/policies/?ref=3731http://www.sans.org/security resources/policies/?ref 3731

NIST Cybersecurity Frameworkhttp://www.nist.gov/cyberframework/

SANS 20 Critical Security Controlshttps://www.sans.org/critical-security-controls/controls

United States Computer Emergency Readiness Teamhttps://www.us-cert.gov/

QUESTIONS?

14