Management Awareness Training

infotex

Dan Hadaway CISA, CISMManaging Partnerinfotex

Management Awareness Training

Awareness Training Series

infotex

Objectives

• What is IT Governance, and what does a typical IT Governance program look like?

• What is the management team’s role in the IT Governance Program?

• What is the ISO’s role?• What should the management team know

to ensure proper IT Governance?• How can management help manage

technology risk?

infotexinfotex

Today’s Agenda

• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program

– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training

• New Risks for 2011/2012• The 2011 Audit Results

In this next section

• We will become familiar with the “workshop portal” and this presentation.

• We will hear credentials that can be used to log onto the workshop portal.

• We will learn what is on the “workshop portal.”

infotex

infotex

Available Tools . . .

• IT Audit Test Types• The ISO Job Description• Awareness Training Procedure• Management Awareness

Training Procedure• Governance Policy

Development Chart

infotex


• Management Guidelines for Social Media

• User Guidelines for Social Media

• Management Talking Points for Mobile Banking and Social Media

infotex


• Wireless Banking Article (Top Five Risks)

• Wireless Banking Article• Wireless Banking Risk

Assessment• Wireless Banking Due

Diligence Kit

infotexinfotex

Our Credentials

• Information Security– CISAs, CISMs, CISSPs– Developed my first AUP in 1988– Updating our process annually– Been doing Annual UAT for banks since 2002

• GLBA, BSA, OFAC, FACTA, HIPAA• Assessments, IT Audits, Consulting• Managed Services (Network Monitoring)

infotexinfotex

Nomenclature

• Information Security Strategy• Information Security Program• IT Risk Management Program• IT Governance Program

Essentially the same thing.

infotexinfotex

IT Governance Program

• Combines:– Serve Business Mission– Manage Technology Risk

(information security)

infotexinfotex

Today’s Agenda





• We will learn five basic tenets of IT Governance that all management team members should know.

• We will learn why IT Governance is concerned with Risk Management

• We will learn “the one control” and why this workshop is important.

infotex

infotexinfotex

#1

infotexinfotex

#1: Serve the Mission

Information Technology must be aligned with the Business Strategy of the bank!

infotexinfotex

Strategy Alignment

• Facilitate business tactics– Assists in business processes– Creates a competitive edge– Increases Communication with “all four

corners of the bank” especially customers.

– Provides accurate information to management

infotexinfotex

Strategy Alignment

• Deliver a Return on Investment– Tangible Return

• Check 21 takes advantage of quicker check processing. Imaging System reduces paper costs.

• Fees charged for various services.

– Intangible Return• Firewall mitigates risk of internet hacking.• On-line Banking provides convenience to

customers.

infotexinfotex

Management Role

• Determine technologies that will best facilitate business tactics.

• Determine appropriate time to deploy new technologies (Apply Pressure)

infotexinfotex

Management Role

• Search and Selection Process– Cost/Benefit Benefit/Risk When???– Risk Analysis– Requirements Definition– Request for Proposal

infotexinfotex

Management Role

• Negotiate Contracts(as per Vendor Management Procedure)

• Implementation – From a user perspective– Return to risk analysis– Return to cost/benefit analysis– Return to features analysis

• Ongoing Vendor Due Diligence (as per Vendor Management Procedure)

infotexinfotex

When is the appropriate time?

Roger’s Diffusion Theory of Innovation• Innovators •Early adopters•Early majority•Late majority •Laggards

Everett M. Rogers' Diffusion of Innovations

infotex 1. Align IT with Business Strategy

http://en.wikipedia.org/wiki/Everett_M._Rogers

http://en.wikipedia.org/wiki/Diffusion_of_Innovations

Stages of Innovation

•Knowledge•Persuasion•Decision• Implementation•Confirmation

Risk Assessment?

Security Controls

Everett M. Rogers' Diffusion of Innovations




Early Adopters in Banking

•Physical Security• Information Security

Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations




Late Majority / Laggard

•Virtualization•Cloud Computing•Social Media•Telecommuting

Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations

Softwareforcloudcomputing.com




Risk/Benefit Evolution Curve

Val

ue

Time

Features, Sophistication

Price, Problems


Risk/Benefit Evolution Curve

Val

ue

Time

Features, Sophistication

Price, Problems

Innovator

Early Adopter

Early Majority Late MajorityLaggards


infotexinfotex

Digital Video Security

• Innovators • Early adopters• Early majority• Late majority • Laggards

2012

infotexinfotex

Secure Messaging


2012

infotexinfotex

Remote Access in Banks


2010

infotexinfotex

Social Media in Banks

• Innovators • Early adopters• Early majority• Late majority • Laggards 2011

infotexinfotex

Wireless Banking


2013

infotexinfotex

#2

infotexinfotex

#2: Manage the Risk

Information, Technology,

and Information Technology

expose the bank to risk!

infotexinfotex

#2) The Risk Spectrum

• There is no such thing as 100% security!

Ignore it? Obsession?

infotexinfotex

#2) The Risk Spectrum


Ignore it? FFIEC Guidelines

infotexinfotex

How do you decide?


Ignore it? FFIEC Guidelines

Risk-basedRemediation

infotexinfotex

Principle Number Two

Information Security is about

ACCEPTING RISK.

infotexinfotex

#3

infotex

A process questionA process question

When you are finishedserving a customer, what do you typically do?

A. Cross Customer Service off the to-do list.

B. File the experience away as one you hope you’ll never have to do again.

C. Learn from the experience and try to serve the next customer better.

D. Move on to the next project.

infotexinfotex

Fundamental #3

infotexinfotex

Which means . . .

• No crossing it off the list.• No filing it away.• No wishing you never have to deal

with it again.

infotexinfotex

And means . . .

• Its cyclical.• You learn from each cycle.• It is constantly improving (we hope).

• It’s about managing risk and ensuring alignment with other business processes.

infotexinfotex

And to improve . . . .

• We must start by measuring.

But remember that metrics are all relative.

infotexinfotex

Fundamental #3

infotexinfotex

#4

infotex

Important Point QuestionImportant Point Question

What is the Number 1 form

of Identity Theft?

A. Pretext Calling

B. Drive-by Attacks (Trojan Horses installed by rogue websites.)

C. Insider Data Theft

D. Phishing

E. Other

infotexinfotex

Source: Javelin Research 2009 Identity Fraud Survey Reporta survey of 25,000 adults.

infotexinfotex

4) It’s not really Technical

TechnologyPeople

Policy Process

infotexinfotex

IT requires a Team Approach

• Risk must be measured and managed using a multi-disciplinary approach.

• Risk is mitigated by establishing controls in the form of policies, procedures, and tools.

• Risk Management Controls involve “all four corners of the bank.”

infotexinfotex

Four Corners of the Bank

infotex

Four Corners of the BankBoard of Directors

OversightCommittee

ManagementTeam

Technical TeamUsers

VendorsLaw Enforcement

Academia

Customers

infotexinfotex

Information Security Officer

• Measures, Manages, Reports Information Security Risk

• Interacts with all four corners.• Facilitates development and

continuous improvement of security controls.

• Delivers an Annual Report directly to the board.

infotexinfotex

Information Security Officer

• Works with Management to:– Measure and Control Risk– Develop and enforce Security Controls – Plan Response to Negative Incidents

(Policy Violation, Security, Disaster)

– Manage Vendor Risk– Authorize Access to IT Assets– Inventory and manage IT Assets– Escalate Risk Acceptance Decisions

(to the Board of Directors)

infotexinfotex

#5

infotexinfotex

infotex

Four Risk Factors

Threats

Vulnerabilities

Impact Severity

Likelihood

infotexinfotex

Threats

• Terrorists • Hackers• Scammers / Con-

men /Fraudsters / Thieves

• Vandals• Technology Itself• Users / Vendors• Nosy Neighbors• Ex-Spouses

infotexinfotex

We can’t take it lightly

• Zeus • Software suite designed to help

hackers attack banks.

infotexinfotex

Marc Rogers, Purdue University

infotexinfotex

. . . zooming in . . .

infotexinfotex

Vulnerabilities

• Airplanes • Ports• Subway System• Buildings• Public Places

• E-mail• Browsers• Network Access

• Users

• > 300 considered in Risk Assessment

infotexinfotex

Impact Severity

• Almost 3000 people

• Financial System• Airlines• Convenience

• Customers’ Identities

• Horror Stories

• Heartland Payment System ($7/card, 20,000 cards)

• Reputation

infotexinfotex

Likelihood

• It can happen on American Soil

• Technology Itself Very High

• Pretext Calling High• Phishing High

• Hacking Medium

• Physical Breach Low– Still happens though!

infotexinfotex

Today’s Agenda





• We will learn about the Federal Financial Institution Examination Council (FFIEC) and it’s published “guidelines” for information technology, and why these guidelines become audit frameworks.

• We will see a quick summary of “management responsibilities for IT.”

• We will review a “map” of the typical bank’s IT Governance Program

• We will learn how the management team “plugs in” to the IT Governance Program.

infotex

infotexinfotex

Types of Risk

• Transaction Risk– Data Corruption Problems– Social Engineering– Customer Errors (Internet Banking)

• Legal Risk– Obscene Jokes in E-mail– Privacy Violations– Unlicensed Software

infotexinfotex

Types of Risk

• Financial Risk– Early Adapter of Technology– Vendor Solvency– Cost of Security Breaches

• Operational Risk– Virus Attacks– Denial of Service (DoS) Attacks– Project Management Risk

infotexinfotex

Types of Risk

• Reputational Risk– Any Security Incident

presents some reputational risk.

– Poor Incident Response can turn a minor incident into a major incident.

infotexinfotex

Types of Risk

• Compliance Risk– GLBA– HIPAA, CIPA, SOX– PCI, BS12000, ITIL, CobiT– BSA, OFAC, US Patriot Act– FACTA– SB1386

infotexinfotex

Gramm Leach Bliley Act

Specifically, Title V of the GLBA, called "Disclosure of Nonpublic Personal Information," is intended to ensure security and confidentiality of customers' records and information, protect the integrity of such information, and protect against unauthorized access to such information.

infotexinfotex

Thank goodness for the . . .

infotexinfotex

The FFIEC

• Federal Reserve System (FRB) • Federal Deposit Insurance

Corporation (FDIC) • National Credit Union Administration

(NCUA) • Office of the Comptroller of the

Currency (OCC) • Office of Thrift Supervision (OTS)

http://www.federalreserve.gov/

http://www.fdic.gov/

http://www.ncua.gov/

http://www.occ.treas.gov/

http://www.ots.treas.gov/

infotexinfotex

The FFIEC

Information Security

Work Program

IT Audit Work Program


Handbook

IT Audit Handbook

Boilerplates

infotex

Management Responsibilities

A quick summary

Awareness Training Series

infotexinfotex

Summary of Responsibilities

• Understand how IT aligns with bank and department business strategy and work with IT to ensure appropriate alignment.

• Know the IT Governance program, how it works, the ISO’s role, and your role in the various sub-programs.

• Be familiar with technology risk that the bank faces.

• Enforce technology controls.• Activate awareness of staff members.

infotexinfotex

What does an IT Governance Program include?

(according to FFIEC Guidelines)

infotexinfotex

The FFIEC


Work Program

IT Audit Work Program


Handbook

IT Audit Handbook

Boilerplates

How about a map?

infotexinfotex


The combined

policy,procedures,

and toolsabout a

particularissue can be

referred to as a

“Program.”

Policy

Procedure

Tools (standards, guidelines,

applications, forms, websites, etc.)

infotexinfotex

Authentication Example

A procedure enforces a board level

policy using tools called

for in the procedure.

AUP

AuthenticationProcedures

Passwords Out-of-Pocket Questions

Visitor Authorization Process

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy

Information Information TechnologyTechnologyGovernance Governance ProgramProgram

infotexinfotex

Risk Analysis Program

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Access Management

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Incident Response

Program

infotexinfotex

Incident Response

• Awareness is an important part of incident response.

CIRT

ISO

Everybody

• Board of Directors• Law Enforcement• Customers

(Could be steering committee.)

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Asset Management

Program

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Business Continuity Program

infotexinfotex

Scenario Responses

Pandemic Ice Storm Tornado Flood Fire

Risk AnalysisBusiness

Continuity Plan

Business Continuity Program

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Procedure

Vendor Management Program

GovernancePolicy

Vendor Management

Policy

Search and Selection

ContractNegotiations

Security SanctionsPolicy

Assigned SecurityResponsibility

OngoingDue Diligence

ThresholdRisk Assessment


Vendor AgreementTemplate

Vendor Request

Detailed Risk Assessment

Risk Analysis

Vendor Risk Determination Table

Checklists

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Security Standards

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

GovernancePolicy

AwarenessProgram

ManagementAwareness

Training

TechnicalAwareness

Training

UserAwareness

Training

CustomerAwareness

Training

Board of Directors

Management Team

Awareness Program

infotexinfotex

GovernancePolicy

AwarenessProgram

ManagementAwareness

Training

TechnicalAwareness

Training

UserAwareness

Training

CustomerAwareness

Training

Board of Directors

Management Team

Vendor ManagementProgram

Due DiligenceRequest Letter

Awareness Program

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

IT Governance Policy

CommitteeMembership

Board Member

ManagementTeam

End Users(rotated)

Establish SteeringCommittee

Authorize the ISO

Requires Trainingat all levels

Report CriticalSecurity Breaches

DefineGovernance

Align ITwith Business

Delineates Annual Report to the Board

infotexinfotex

Today’s Agenda





• We will learn why a multidisciplinary approach to technology risk assessments is critical.

• We will find out the types of threats that need to be considered in a risk assessment.

• We will see a typical risk assessment process.

infotex

infotexinfotex

Summary: Managers Should

• Clearly support all aspects of the information security program;

• Implement the information security program as approved by the board of directors;

• Establish appropriate policies, procedures, and controls;

• Participate in assessing the effect of security issues on the financial institution and its business lines and processes;

infotexinfotex

Summary: Managers Should

• Delineate clear lines of responsibility and accountability for information security risk management decisions;

• Define risk measurement definitions and criteria;

• Establish acceptable levels of information security risks; and

• Oversee risk mitigation activities.

infotexinfotex

That’s straight out of FFIECguidelines (page 6,

Information Security Handbook)

infotexinfotex

Information Security ProgramEquals


infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

Risk Analysis Program

infotexinfotex

Four Primary Risk Assessments

Risk Assessments

VendorRisk Determination

Business Impact Analysis

TechnologyRisk Assessment

AssetCriticalityAnalysis

infotexinfotex

Today’s Agenda



• New Risks for 2010/2011• ISO Job Description & Interactions


• We will learn the primary purposes of an IT Audit.

• We will understand the need for risk-based auditing

• We will learn the different types of audit tests.

• We will be exposed to the need for good IT Audit metrics.

infotex

infotexinfotex

The IT Audit

infotexinfotex

Three Primary Purposes

• Alignment with business mission• Appropriate risk management• Compliance with applicable law

infotexinfotex

Alignment w/ Business Mission

• Strategy Alignment• Facilitate Execution of Business

Tactics• Demonstrate Return on Investment

infotexinfotex

Risk Management Assurance

• Test of Risk Assessment Process • Test of Management Awareness• Test of Declared Controls• Test of User Awareness• Escalate Risk Acceptance decisions

to the Board of Directors

infotexinfotex

Comply with the Law!

• FFIEC Guidelines as the Framework• CobiT as Framework for SOX banks• State laws may introduce individual

compliance framework needs (SB1386 in California)

infotexinfotex

Risk-based Auditing

• Ensures testing is appropriate• Delivers Value to Audit Process• Relies heavily on bank risk

assessment

infotexinfotex

Risk-based Auditing

• Test the controls that protect the highest value assets.

• Test the controls that protect the most likely targeted assets.

• Test the controls that management has declared mitigate the MOST risk (highest delta control value).

infotexinfotex

Risk-based Auditing

Inherent Risk Residual RiskDelta Control

infotexinfotex

Types of IT Audit Tests

• Technical• Non-technical

infotexinfotex

But first …

• Capture-the-flag versus assessment

infotexinfotex


• IT Governance Review– GLBA Compliance– Policy and Procedure Review– Testing of Non-technical Controls– Involves interviewing “all four

corners” of the bank

infotexinfotex


• Technical Vulnerability Assessments– Perimeter

• Penetration Testing• Vulnerability Scanning of Perimeter• Confirmation

– Internal Network• Vulnerability Scanning• Network Configuration Audit• Confirmation

infotexinfotex


• Social Engineering Tests– Two purposes

• Test Awareness• Test Incident Response

– Spear Phishing– Pretext Calling– Password File Analysis– Orchestrated Attacks

infotexinfotex

IT Physical Security

• Physical Breach Tests• Walk-through’s• Dumpster Diving

– Trash-can Diving

• Physical Security Checklists

infotexinfotex

Checklist Tests

• IT Governance• Physical Security• Network Configuration Audits

Be careful that findingsare risk ranked.

infotexinfotex

Risk Metrics

• Should be based on likelihood and impact

• Some auditors will also factor in ease of remediation

• You should be interested in residual risk, anticipated residual risk, and risk reduction (or “delta control”)

infotexinfotex

Risk Metrics

• Comparing risk from one year to the next, or from one bank to the next, is difficult

• What’s important is knowing that the management team understands the metrics and the risk

infotexinfotex

Today’s Agenda





• We will learn the primary purposes of the annual Vendor Due Diligence Review.

infotex

infotexinfotex

Procedure

Vendor Management Program

GovernancePolicy

Vendor Management

Policy

Search and Selection

ContractNegotiations

Security SanctionsPolicy

Assigned SecurityResponsibility

OngoingDue Diligence



Vendor AgreementTemplate

Vendor Request

Detailed Risk Assessment

Risk Analysis

Vendor Risk Determination Table

Checklists

infotexinfotex

Selection Process

Risk AssessmentRequirements

Definition vs. RFPResponses

Due Diligence

Evaluation

infotexinfotex

Vendor Due Diligence Checklist

• Makes the annual review go so much better!

• . . . . . . at least after the first one.

infotexinfotex

Vendor Risk Assessment Process

ThresholdRisk

Assessment

Vendor Due DiligenceRequest

Due Diligence Checklist

Missing Controls

RiskManagement

Program

Reportto Board

DetailedRisk Assessment

infotexinfotex

Missing controls and anticipated safeguards should input into the IT Risk Assessment.

Outputs of Annual Review

infotexinfotex

Remember this diagram?

Risk Assessments

VendorDue Diligence



infotexinfotex

Remember this diagram?

Risk Assessments

VendorDue Diligence



This (and missing vendor controls)is where Vendor Due Diligence plugsinto the overall Risk AssessmentProcess.

infotexinfotex

Missing controls and anticipated safeguards should input into the IT Risk Assessment.

They will be deployed as per risk severity in a reasonable period of time.


infotexinfotex

Finally, risk acceptance decisions should be escalated to the board of directors by the ISO in the Annual Report.


infotexinfotex

Today’s Agenda





• We will learn some of the fundamental responsibilities of the Information Security Officer.

• We will see how the ISO interacts with various areas of the bank.

• We will understand how we can utilize the ISO to better manage our own technology risk.

infotex

infotexinfotex

RiskAnalysis

Awareness

SecurityStandards

VendorManagement

BusinessContinuity

AssetManagement

Incident Response

AccessManagement

GovernancePolicy


infotexinfotex

GovernancePolicy

AwarenessProgram

ManagementAwareness

Training

TechnicalAwareness

Training

UserAwareness

Training

CustomerAwareness

Training

Board of Directors

Management Team

Vendor ManagementProgram

Due DiligenceRequest Letter

Awareness Program

infotexinfotex

GovernancePolicy

AwarenessProgram

ManagementAwareness

Training

TechnicalAwareness

Training

UserAwareness

Training

CustomerAwareness

Training

Board of Directors

Management Team

Awareness Program

infotexinfotex

Risk ManagementProgram

AwarenessProgram

ManagementAwareness

Training

TechnicalAwareness

Training

UserAwareness

Training

CustomerAwareness

Training

Board of Directors

Management Team

infotexinfotex

• Board Awareness Training (video webcast is available)

• Annual Report– Risk Analysis Executive Summary– Vendor Due Diligence Results– Summary of Critical Security Breaches– Strategy

• Policy Approval Process

BAT Tools

infotexinfotex

Today’s Agenda




infotexinfotex

New Risks in 2011/2012

• Targeted Malware attacks (Zeus, Russian Business Network, Chinese, and spin-offs)

• Social Media Usage (by employees AND the bank)

• Mobile Banking Deployment

infotexinfotex

Orchestrated Attacks

• Usually combining:– Malware from drive-by attack sites– Phishing– Pretext Calling

• Assets Attacked:– Customer credentials– ACH– On-line Banking

infotexinfotex

Social Media

• Bank site risks– Compliance (disclosures)– Negative Comments– Poor Content

• Employee risks– General Users– Management Team Members

infotexinfotex

Wireless Banking Risks

1. Late Majority Adoption2. Tepid Adoption3. Security Risk4. Compliance Risk5. Strategic Risk

infotex Horse Before the Cart: Top 5 Mobile Banking Risks

infotexinfotex

Today’s Agenda





• We will learn some of the fundamental responsibilities of the Information Security Officer.

• We will see how the ISO interacts with various areas of the bank.

• We will understand how we can utilize the ISO to better manage our own technology risk.

infotex

infotexinfotex

ISO Job Description

• The single point of contact . . . liaison . . . for all matters involving Information Security (and often IT Governance as a whole.)

• The “inside consultant” on IT Security Matters.

• The person who teaches us how to manage technology risk.

infotexinfotex

ISO Teams

• Steering Committee: Member• Technical Staff: Member • CIRT: Team Leader• Risk Assessment: Team Leader• Vendor Management: Team Leader• Business Continuity Plan:

sometimes the BCP coordinator, often not.

infotexinfotex

What the ISO does . . .

• Writes policies and procedures.• Filters vulnerability news down to

what the bank needs to know.• Writes agendas and reports for

various meetings.• Activates awareness through

reminders, tests, and training.

infotexinfotex

ISO Job Description

• Maintain the IT Governance Program• Ensure through measurement and

testing that the controls in the IT Governance Program are adequate and are being enforced.

• Escalate Risk Acceptance Decisions to the Board

• Educate, Motivate, and Activate Awareness.

infotexinfotex

Awareness Life Cycle

Educate

Motivate

Activate

infotexinfotex

Four Corners

Board of Directors

OversightCommittee

ManagementTeam

Technical TeamUsers

Vendors

Customers

infotexinfotex

Board Level

• Educate

• Motivate

• Activate

• Annual Report, Awareness Training

• Risk Analysis, VDD Results, Audit Findings

• Policy Approval, Strategy, Budget

infotexinfotex

Management Team

• Educate

• Motivate

• Activate

• Annual Awareness Training, Applicable Policies and Procedures (see distribution list)

• Annual Report to the Board, Audit Results

• Risk Analysis, Vendor Due Diligence

infotexinfotex

Technical Team

• Educate

• Motivate

• Activate

• IT Audit Program, Security Standards, Policies and Procedures, Comprehension Testing, BCP Testing Plan

• Auditing, Monitoring, Testing, Vulnerability Assessments

• Vulnerability Reports, Conferences, CPE

infotexinfotex

Users

• Educate

• Motivate

• Activate

• Acceptable Use Policy

• Annual Awareness Training, Comprehension Tests

• Social Engineering Tests, Exercises, Reminders

infotexinfotex

Customers

• Educate

• Motivate

• Activate

• Flyers, Knowledgeable Employees

• Annual Awareness Training

• Stuffers, Web Site Announcements

infotexinfotex

Vendors

• Educate

• Motivate

• Activate

• Due Diligence Request Letter, Phone Call

• Contract Negotiations, Due Diligence Request Letter, AP New Vendor Form

• Ongoing discussion emphasizing security. A call when something doesn’t seem right.

infotex

• Information Security Officer Job Description

On the Portal . . .

infotexinfotex

How should we summarize?

infotexinfotex

Interactions

infotexinfotex

ISO must interact with:

• Board of Directors– Annual Report to the Board – Risk Acceptance Decisions– Policy Approval

infotexinfotex


• Oversight Committee– Internal Auditing– Monitoring– Audit Reports– Vulnerability Assessments

infotexinfotex


• Management Team– Risk Analysis– Training– Vendor Due Diligence– Access Authorization Review– Budget– Incident Response

infotexinfotex

ISO Must Interact With:

• The you-wouldn’t-expect interactions– Human Resources

• Policy Development and Enforcement• Incident Response Team• Risk Assessment• Orientation

– Marketing• Customer Awareness Training• Public Presence Security Controls• Use of Social Media

infotexinfotex


• Technical Team– Security Standards– Incident Response– Vulnerability Assessments– Audits– Network Monitoring

infotexinfotex


• Users (all employees)– Acceptable Use Policy– Annual Awareness Training– Policy Enforcement– Security Reminders and Notices– Testing– Incident Response– Answering Questions

infotexinfotex


• Vendors– Vendor Risk Analysis– Vendor Due Diligence Requirements– Risk Acceptance

infotexinfotex


• Customers– Customer Awareness Training– Incident Response

infotexinfotex

Thank you!

Don’t forget the

Evaluations!

infotex

The Workshop Portal

• List of boilerplates and related websites.• Electronic Version of Documents, Articles,

and Boilerplates for your use.– mat2009.infotex.com (all lower case)– Your user name . . . mat2009 (all lower case)– Th3!b@#1 is the password.

• Portal is classified “internal use.”

Management Awareness Training

Documents

Transcript of Management Awareness Training