Security Strategy Focusilta.personifycloud.com/.../SecurityStrategy.pdf · Security Strategy Focus:...
Transcript of Security Strategy Focusilta.personifycloud.com/.../SecurityStrategy.pdf · Security Strategy Focus:...
Jamie Herman, Manager of Information Security – Ropes & Gray LLP
Lisa Markey, Director Information Security - Shearman & Sterling LLP
Chris Yule, Managing Security Consultant - Dell SecureWorks
Security Strategy Focus: Building a Successful Security Team and Program in Legal
A Little About Us…
Today’s Agenda
The developing role of information security
teams in law firms
Best practices for developing a successful
strategy
Common IT areas to focus initial efforts on
Firm business areas to focus initial efforts on
Takeaways
New Security Programme?
The KEY to success
…AT ONCE
SecureWorks
Characteristics of a
Security Strategy
Characteristics
Risk-based
Alignment with firm goals
Senior leadership support
People and Process
Technology as a tool, not a goal
Assume you will be compromised
Vision – looking ahead down an unknown road
SecureWorks
Strategic Focus Areas
SecureWorks
Understand the
Extended Enterprise
Understand firm organizational goals, and align with them accordingly
Identify the key information assets
Understand where they’re stored, who has access to them, how they’re protected
Identify the risks to those assets
1
2
3
4
Look beyond the organisational boundary? 5
Understand the Extended
Enterprise
Understand what’s happening in your firm
SecureWorks
Increase Visibility
Increase Visibility of Threats
and Vulnerabilities Security Maturity Assessments
Collect and monitor all of your security events
Host and Network-based IDS/IPS to inspect user activity
Apply threat intelligence
1
2
3
4
Vulnerability Scans, Penetration Tests, Patch/Configuration Management 5
What’s the problem?
Understand the players
Detect anomalies
SecureWorks
Build a Culture of
Security
Build a Culture of Security
Make everyone responsible for their own role in protecting information
Put in place a person who is accountable for security
Bring together a steering group involving stakeholders from across the organisation
Get top management backing for information security
1
2
3
4
We’re stronger working together than apart
SecureWorks
Train Your Users
Train Your Users
Build a layered security awareness program
Include Security Essentials, Organisation-Specific and Role-Specific training
Training as a continuous exercise
Train up as well as down
1
2
3
4
Test effectiveness of your training 5
Keep it Simple…
SecureWorks
Be Prepared to
Respond to Incidents
Be Prepared to Respond to
Incidents
Build a tried and tested incident response process
Formalise roles and responsibilities in every type of incident
Understand where your logs are and how to get access to them
Ensure organisational boundaries won’t get in the way
1
2
3
4
Have pre-arranged relationships you can call on if you need it 5
Where to focus…
Elevated privilege accounts
Local admin accounts?
Shadow IT
Critical systems
Public facing systems
Finance and other critical business units
Takeaways
Understand the environment internally and externally
Prioritize risks and recommend mitigating controls
Work with the business to make everyone aware of risks
Change the culture of security from the top down
Collaborate with your peers at other firms and industries
Thank You