SlideShare una empresa de Scribd logo

Building a database security program

Descargar como PPTX, PDF
M
matt_presson

This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.

Tecnología
1 de 25
BUILDING A DATABASE SECURITY PROGRAM Matt Presson @matt_presson Sr. Information Security Analyst, Leading Multi-National Insurance Brokerage
WHO AM I?  Sr. Information Security Analyst  Focus mainly on Application Security and related issues  Recently focused on designing a database security program
OBJECTIVE  Why database security is important  The process of developing the program  What to watch out for  NOT giving a blueprint!
WHY DATABASE SECURITY?
BECAUSE WE ARE FAILING!
WHY DATABASE SECURITY?  It stores your most sensitive data  Traditional controls are not adapted to new attacks  Firewalls  IDS, IPS  AV, HIDS and HIPS  Full Disk Encryption  Breaches are still happening!
WHY DATABASE SECURITY?
HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
PLANNING  Determine stakeholders  People with a vested interest in keeping data safe  Not just a part of the security department  Critical business leaders  Compliance/Audit organization  Application support managers  Determine your goals and areas of focus  Address current business issues and concerns Planning  Unique to each organization Determine Stakeholders Goals & Focus Areas Standards & Policies
PLANNING  Standards and Policies  Build configurations  Password complexity  Access control  Permissions management  Data classification Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
PLANNING  Data Classification  Different levels of assurance for different data types  Keep it SIMPLE!  Example (security viewpoint):  Confidential – e.g. HR data, Financials, etc.  Internal – e.g. Org Charts  Public – Released earnings info, Company tweets, etc. Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
DISCOVERY AND ASSESSMENT  Focus at the application layer  Gather a manageable list of business critical apps  What are your most important systems?  What applications have the largest impact on your ability to do business?  What systems do our auditors/regulators care about most? Discover and Assess Secure Monitor Access Secure Infrastructure
SECURE ACCESS  Minimize the number of accounts  Get a list of accounts from DBA  Group the accounts by usage, e.g. Applications, DBAs, Individuals (normal and admin)  Reduce the number of admin accounts  Talk to the person – determine what the real need is  Minimize account permissions  Can you use a view? Discover and Assess  What about a stored procedure? Secure Monitor Access Secure Infrastructure
SECURE ACCESS  Control where accounts access from  Are web and application servers ok?  Should DBAs have access directly from their workstations?  Should employees have access from their workstations?  Do you need terminal servers or bastion hosts?  Should a database be accessible Discover and Assess from the Internet? Secure Monitor Access Secure Infrastructure
SECURE INFRASTRUCTURE  Ensure you are up-to-date on OS patches  Free / Commercial scanners  Windows Update  *nix distro repositories  Don’t forget about the DB software itself!  MySQL authentication bypass – CVE-2012-2122  Oracle TNS Poisoning – CVE-2012-1675  SQL Server 2003 Local Administrator Discover and Assess group Secure Monitor Access Secure Infrastructure
MONITORING  Watch what your employees are doing  Built-in transaction logs or auditing solutions  Third-party tools  Database triggers  Have different levels of monitoring  Failed logins for everyone  All activity by privileged accounts  Individual account activity Discover and Assess outside of “the norm” Monitor Secure Access Secure Infrastructure
MONITORING  Watch for specific events  Access outside of the normal activity period  Failed login attempts  Returning too much sensitive data  Abnormally high number of requests  SQL injection attempts Discover and Assess Secure Monitor Access Secure Infrastructure
IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
ONGOING MANAGEMENT  Periodically audit completed systems  Work with your DBAs  Collaborate with internal audit  Keep your documentation current  Review updated vendor documents  Discuss upcoming migration plans with technology teams Ongoing Management Periodic Audits Review / Update Standards Review / Update Policies
SUMMARY  We have to protect the data  Engage with the business  Determine their concerns  Address their issues  Become a business partner/enabler  Secure your most critical systems first  Don’t forget about the infrastructure  Monitor, monitor, monitor  Stay current
QUESTIONS?
APPENDIX 1 – STANDARDS AND POLICIES  Resources  Database Vendor  NIST  Government Agencies, e.g. NSA  Standards Bodies, e.g. SANS, IANS  International CERTs  Existing company documentation

Recomendados

20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet SiteNicola_Milone
 
TA security
TA securityTA security
TA securitykesavars
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
Brochure it asset_remote_manager_en
Brochure it asset_remote_manager_enBrochure it asset_remote_manager_en
Brochure it asset_remote_manager_enDexon Software
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 

Recomendados

20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet SiteNicola_Milone
 
TA security
TA securityTA security
TA securitykesavars
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
Brochure it asset_remote_manager_en
Brochure it asset_remote_manager_enBrochure it asset_remote_manager_en
Brochure it asset_remote_manager_enDexon Software
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceNovell
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Private Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesBulent Buyukkahraman
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.Mindtree Ltd.
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Axxera Siem
Axxera SiemAxxera Siem
Axxera Siemakshayvreddy
 
Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11mcini
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalOracleIDM
 
Sira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsSira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsCary Sholer
 
Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controlsFITSFSd
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small BusinessesWilkins Consulting, LLC
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 

Más contenido relacionado

La actualidad más candente

An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceNovell
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Private Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesBulent Buyukkahraman
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.Mindtree Ltd.
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11mcini
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalOracleIDM
 
Sira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsSira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsCary Sholer
 

La actualidad más candente (19)

An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
Microsoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution PresentationMicrosoft Forefront - Secure Endpoint Solution Presentation
Microsoft Forefront - Secure Endpoint Solution Presentation
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment Services
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
Axxera Siem
Axxera SiemAxxera Siem
Axxera Siem
 
Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11Web Ex Presentation For Stn 2 24 11
Web Ex Presentation For Stn 2 24 11
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Platform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-finalPlatform approach-series-the oracleplatform-final
Platform approach-series-the oracleplatform-final
 
Sira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessmentsSira insights from cloud vendor risk assessments
Sira insights from cloud vendor risk assessments
 

Destacado

Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controlsFITSFSd
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small BusinessesWilkins Consulting, LLC
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityDistil Networks
 
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...Motty Ben Atia
 
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...exponential-inc
 
Enterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersEnterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersdigitallibrary
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...Yiannis Verginadis
 
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Spiceworks
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Spiceworks
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessInfopulse
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
Robbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesRobbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesFundera
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...David J Rosenthal
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small BusinessBrendanRose
 
Challenges Of Global Data Collection
Challenges Of Global Data Collection Challenges Of Global Data Collection
Challenges Of Global Data Collection ResearchShare
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!cisoplatform
 
Small business data security
Small business data securitySmall business data security
Small business data securityDavid Usher
 

Destacado (19)

Data and database security and controls
Data and database security and controlsData and database security and controls
Data and database security and controls
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses
 
Database security
Database securityDatabase security
Database security
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT Security
 
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
 
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
 
Enterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersEnterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it matters
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
 
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
 
Box.net overview
Box.net overviewBox.net overview
Box.net overview
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
Robbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesRobbery Prevention for Small Businesses
Robbery Prevention for Small Businesses
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small Business
 
Challenges Of Global Data Collection
Challenges Of Global Data Collection Challenges Of Global Data Collection
Challenges Of Global Data Collection
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!
 
Small business data security
Small business data securitySmall business data security
Small business data security
 

Similar a Building a database security program

Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Servicesheehab2
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnSamuel Reed
 
Gregs BI Presentation
Gregs BI PresentationGregs BI Presentation
Gregs BI Presentationflyjock1
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0Novell
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Mark Frydenberg
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Information awareness program
Information awareness programInformation awareness program
Information awareness programkhattar31
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011IBM Sverige
 
Fact V4.0 Brochure
Fact V4.0 BrochureFact V4.0 Brochure
Fact V4.0 Brochureguillaume123
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfSidneyGiovanniSimas1
 

Similar a Building a database security program (20)

Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Service
 
Ta Security
Ta SecurityTa Security
Ta Security
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
Gregs BI Presentation
Gregs BI PresentationGregs BI Presentation
Gregs BI Presentation
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance center
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Information awareness program
Information awareness programInformation awareness program
Information awareness program
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
 
Fact V4.0 Brochure
Fact V4.0 BrochureFact V4.0 Brochure
Fact V4.0 Brochure
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
 

Último

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Último (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Building a database security program

  • 1. BUILDING A DATABASE SECURITY PROGRAM Matt Presson @matt_presson Sr. Information Security Analyst, Leading Multi-National Insurance Brokerage
  • 2. WHO AM I?  Sr. Information Security Analyst  Focus mainly on Application Security and related issues  Recently focused on designing a database security program
  • 3. OBJECTIVE  Why database security is important  The process of developing the program  What to watch out for  NOT giving a blueprint!
  • 5. BECAUSE WE ARE FAILING!
  • 6. WHY DATABASE SECURITY?  It stores your most sensitive data  Traditional controls are not adapted to new attacks  Firewalls  IDS, IPS  AV, HIDS and HIPS  Full Disk Encryption  Breaches are still happening!
  • 8. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  • 9. PLANNING  Determine stakeholders  People with a vested interest in keeping data safe  Not just a part of the security department  Critical business leaders  Compliance/Audit organization  Application support managers  Determine your goals and areas of focus  Address current business issues and concerns Planning  Unique to each organization Determine Stakeholders Goals & Focus Areas Standards & Policies
  • 10. PLANNING  Standards and Policies  Build configurations  Password complexity  Access control  Permissions management  Data classification Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
  • 11. PLANNING  Data Classification  Different levels of assurance for different data types  Keep it SIMPLE!  Example (security viewpoint):  Confidential – e.g. HR data, Financials, etc.  Internal – e.g. Org Charts  Public – Released earnings info, Company tweets, etc. Planning Determine Stakeholders Goals & Focus Areas Standards & Policies
  • 12. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  • 13. IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
  • 14. DISCOVERY AND ASSESSMENT  Focus at the application layer  Gather a manageable list of business critical apps  What are your most important systems?  What applications have the largest impact on your ability to do business?  What systems do our auditors/regulators care about most? Discover and Assess Secure Monitor Access Secure Infrastructure
  • 15. SECURE ACCESS  Minimize the number of accounts  Get a list of accounts from DBA  Group the accounts by usage, e.g. Applications, DBAs, Individuals (normal and admin)  Reduce the number of admin accounts  Talk to the person – determine what the real need is  Minimize account permissions  Can you use a view? Discover and Assess  What about a stored procedure? Secure Monitor Access Secure Infrastructure
  • 16. SECURE ACCESS  Control where accounts access from  Are web and application servers ok?  Should DBAs have access directly from their workstations?  Should employees have access from their workstations?  Do you need terminal servers or bastion hosts?  Should a database be accessible Discover and Assess from the Internet? Secure Monitor Access Secure Infrastructure
  • 17. SECURE INFRASTRUCTURE  Ensure you are up-to-date on OS patches  Free / Commercial scanners  Windows Update  *nix distro repositories  Don’t forget about the DB software itself!  MySQL authentication bypass – CVE-2012-2122  Oracle TNS Poisoning – CVE-2012-1675  SQL Server 2003 Local Administrator Discover and Assess group Secure Monitor Access Secure Infrastructure
  • 18. MONITORING  Watch what your employees are doing  Built-in transaction logs or auditing solutions  Third-party tools  Database triggers  Have different levels of monitoring  Failed logins for everyone  All activity by privileged accounts  Individual account activity Discover and Assess outside of “the norm” Monitor Secure Access Secure Infrastructure
  • 19. MONITORING  Watch for specific events  Access outside of the normal activity period  Failed login attempts  Returning too much sensitive data  Abnormally high number of requests  SQL injection attempts Discover and Assess Secure Monitor Access Secure Infrastructure
  • 20. IMPLEMENTATION LIFECYCLE Discover and Assess Monitor Secure Access Secure Infrastructure
  • 21. HIGH-LEVEL OVERVIEW Ongoing Planning Implementation Management Discover & Determine Assess Periodic Audits Stakeholders Secure Access Goals & Focus Review and Areas Secure Update Standards Infrastructure Standards & Review and Policies Monitor Update Policies
  • 22. ONGOING MANAGEMENT  Periodically audit completed systems  Work with your DBAs  Collaborate with internal audit  Keep your documentation current  Review updated vendor documents  Discuss upcoming migration plans with technology teams Ongoing Management Periodic Audits Review / Update Standards Review / Update Policies
  • 23. SUMMARY  We have to protect the data  Engage with the business  Determine their concerns  Address their issues  Become a business partner/enabler  Secure your most critical systems first  Don’t forget about the infrastructure  Monitor, monitor, monitor  Stay current
  • 25. APPENDIX 1 – STANDARDS AND POLICIES  Resources  Database Vendor  NIST  Government Agencies, e.g. NSA  Standards Bodies, e.g. SANS, IANS  International CERTs  Existing company documentation