Ten Steps to Improve Enterprise Security Strategies
-
Upload
tripwire -
Category
Technology
-
view
2.521 -
download
0
description
Transcript of Ten Steps to Improve Enterprise Security Strategies
10 Steps to AchieveRisk-Based Security ManagementDANIEL BLANDER, TECHTONICACINDY VALLADARES, PRODUCT MARKETING AT TRIPWIRE
10 Steps to AchieveRisk-Based Security ManagementDaniel Blander, TechtonicaCindy Valladares, Product Marketing at Tripwire
IT SECURITY & COMPLIANCE AUTOMATION
@TripwireInc @cindyv
@djbphaedrus
Today’s Speakers
Daniel Blander
Techtonica
@djbphaedrus
Cindy Valladares
Product Marketing Manager
@cindyv
IT SECURITY & COMPLIANCE AUTOMATION
@TripwireInc @cindyv
@djbphaedrus
A HISTORY OF EXCELLENCEHeadquartered in Portland, OregonFounded in 1997
Open source legacy since ‘80s
Over 300 employees worldwide
Over 6,000 customers in 96 countries46% of Fortune 500 rely on Tripwire technology
Award-winning, patented technology
4
IT SECURITY & COMPLIANCE AUTOMATION
@TripwireInc @cindyv
@djbphaedrus
Interest in Risk Management is Spiking
Increasingly required to engage non-technical executives for budget
Habitual security spending not aligned with the business
More objective methods needed to allocate limited budgets
Scary things in the news, noticed by business guys
Compliance is driving the conversation around risk
IT SECURITY & COMPLIANCE AUTOMATION6
@TripwireInc @cindyv
@djbphaedrus
Compliance Requirements Address Risk Management
PCI DSS v2.0 and Risk Management SIG• Req 12.1.2 – annual process that results in a formal risk assessment
• Req 5 Maintain a vulnerability mgt program - schedule based on risk/priority
• Req 6.2 Assigns risk ranking to newly discovered vulnerabilities
IT Grundschutz• Methodology for identification, characterization, analysis, evaluation,
assessment, treatment, acceptance and communication of risks
Basel II• Ensure that banks have adequate capital for the risks they’re exposed to
ISO 27005• Information security risk management standard
Monetary Authority of Singapore (MAS)• ITBRM – Internet Technology Banking Risk Management
IT SECURITY & COMPLIANCE AUTOMATION7
@TripwireInc @cindyv
@djbphaedrus
What is Risk-Based Security Management?
Let’s first define Risk
Risk = Probability (x) Impact
An approach that relates the costs of mitigating risks to the perceived value of an asset in the context of:• Threats
• Vulnerabilities
• Impacts to the business
Part of a wider Enterprise Risk Management system and specific to Information Security
The goal is to enable the business
IT SECURITY & COMPLIANCE AUTOMATION8
@TripwireInc @cindyv
@djbphaedrus
Framework of Risk-Based Security Management
Decisions based on identification, analysis and prioritization of risks • Based in observable facts and, whenever possible, measurable data
• Many long-held beliefs about information security are challenged.
Decisions can become more explicit• Open to examination, testing and refinement through discourse.
Risk analysis is the guide that, if based on factual data, can focus your efforts and worries in areas that produce the greatest benefits.
IT SECURITY & COMPLIANCE AUTOMATION9
@TripwireInc @cindyv
@djbphaedrus
10 Steps to Risk-Based Security Management
1. Identify What Matters
2. Collect Data on What Matters
3. Perform Risk Assessment – the Critical Juncture
4. Present to the Organization
5. Identify Control Objectives
6. Identify and Select Controls
7. Implement Controls
8. Operate Controls
9. Monitor and Measure
10.Operate a Feedback Loop
IT SECURITY & COMPLIANCE AUTOMATION10
@TripwireInc @cindyv
@djbphaedrus
10 Steps to Risk-Based Security Management
Step 1: Identify What Matters• Intangible Assets: profits, business goals and objectives, good will
• Tangible Assets: cash, intellectual property, data
Step 2: Collect Data on What Matters• Asset valuation
• Impact
• Landscape of threats
• Sources of frequency, likelihood and probability (not possibility)
• Vulnerabilities
IT SECURITY & COMPLIANCE AUTOMATION11
@TripwireInc @cindyv
@djbphaedrus
10 Steps to Risk-Based Security Management
Step 3: Perform Risk Assessment – the Critical Juncture• State the Objectives
• Methodology should meet needs of decision makers
• Use observable and tangible data
• Focus on accuracy not precision
• Identify probabilities and associated range of impact
• Use descriptions and measures that are re-usable
Step 4: Present to the Organization• Information must make stakeholders better able to make decisions
• Information must be in the context of what is relevant to stakeholders
• Analysis must be open to exploration and inquiry - refinement
IT SECURITY & COMPLIANCE AUTOMATION12
@TripwireInc @cindyv
@djbphaedrus
10 Steps to Risk-Based Security Management
Step 5: Identify Control Objectives• What are the objectives of mitigation – the goal, not the technique
Step 6: Identify and Select Controls• Consider costs versus risk being mitigated
Step 7: Implement Controls• Ensure it supports the original objectives
Step 8: Operate Controls
IT SECURITY & COMPLIANCE AUTOMATION13
@TripwireInc @cindyv
@djbphaedrus
10 Steps to Risk-Based Security Management
Step 9: Monitor and Measure• Is the control creating a observable or measurable change in original risk
• Collect measures and observations
Step 10: Operate a Feedback Loop• Security Management as a continuous cycle
• Use measures and observations
• Use to adjust risk analysis, control objectives, controls, operations
• Adjusts perceptions and approach
IT SECURITY & COMPLIANCE AUTOMATION14
@TripwireInc @cindyv
@djbphaedrus
10 Steps to Risk-Based Security Management
1. Identify What Matters
2. Collect Data on What Matters
3. Perform Risk Assessment – the Critical Juncture
4. Present to the Organization
5. Identify Control Objectives
6. Identify and Select Controls
7. Implement Controls
8. Operate Controls
9. Monitor and Measure
10.Operate a Feedback Loop
IT SECURITY & COMPLIANCE AUTOMATION15
@TripwireInc @cindyv
@djbphaedrus
Risk-Based Security Management
Creates an environment of informed choice
Strives to reduce uncertainty and eliminate conjecture
Is best achieved through a plethora of relevant data
Is based on analysis of frequency of threats and vulnerabilities
Is cyclical and provides an opportunity for continuous learning
Involves feedback loops and challenging assumptions
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
@TripwireInc @cindyv
@djbphaedrus 16
www.tripwire.com/blog@TripwireInc
Daniel Blander@djbphaedrus
Cindy Valladares@cindyv
IT SECURITY & COMPLIANCE AUTOMATION17
@TripwireInc @cindyv
@djbphaedrus
About The State of Risk-Based Security Management Report
Surveyed 2,145 individuals
Four countries: US, UK, Germany, Netherlands
Commissioned by Tripwire
Conducted by Ponemon Institute, an independent research organization