SlideShare una empresa de Scribd logo

Build a Security Management Framework (SMF

J
Joseph Wynn

1. The document provides an overview of Joe Wynn and his company WynnSecure which focuses on information security strategy and security management frameworks. 2. It outlines an agenda for improving security programs which includes explaining why security programs need to be explained, identifying issues, problems, and solutions. 3. The document describes how to build a security management framework using the NIST Cybersecurity Framework as an example, with services, processes, and attributes to organize and manage a security program.

Tecnología
1 de 56
Descargar para leer sin conexión
Improving Your Security Program Security Management Framework Joe Wynn President WynnSecure, LLC www.WynnSecure.com
Joe Wynn • Founded WynnSecure, LLC in 2016 • Cofounded Seiso, LLC in 2017 • Held positions of CISO in higher education and energy sectors • Consulted in healthcare in a security leadership position • Built business-aligned security programs from ground up • Leads the delivery of executive-level information security strategy • Over 25 years experience in information technology • Over 20 years specializing in information security • Education • BS of Computer Science Degree from Duquesne University • Master’s Degree from Carnegie Mellon University • Earned CISSP and other certifications • Cofounder of BSidesPGH information security conference in 2011
Agenda Why What’s the issue What are the problems What can you do Here’s a way Discussion
Why be able to explain your program? So you can succeed 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 5
So your company can succeed 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 6
Companies are getting 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 7
No one will come to your party 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 8
Why be able to explain your program? 4/6/2017© WynnSecure, LLC - www.WynnSecure.com 9
What’s the Issue? Discussion Can anyone share why they think their program is successful?  What did you do to make it successful? Does your management think your program runs well? Are they aware of which parts of the program are well managed? What happens when the primary resource is out?  Who does the mandatory daily tasks?
What’s the Issue? 1. Sometimes… 2. Explaining your information security program to executives  Which parts are well managed?  Which parts run ad hoc?  Easily calculate number of resources for a successful program?  Explain what risks are inherently being accepted?  Explain residual risks? 3. Not operationalizing the security program
What’s the Problem? Discussion Does anyone have a story about “someone you know” who doesn’t complete all of the mandatory processes each day? What kinds of risks can this cause in ‘their” program? Do you have to fight for your budget and resources or does management just give it to you?
What’s the Problem? • Skipped processes increase organizational information security risks • Management can’t make informed decisions on undocumented risks • Management doesn’t invest in undocumented programs
What can you do? Discussion • What are program metrics? Anyone track those? • Who formally tracks risk appetite?
What can you do? • Organize your program so it can be managed and communicated • Track your program’s metrics Not talking about technical metrics, like number of spam email or viruses seen.  Note: I looked it up… plural of virus is viruses, not viri. I’m talking about how well your processes are operating.  And if you have the right processes and they are working, then you will be on your path to good security. • Ensure your program operates within risk appetite tolerance • Request program investment for areas of unacceptable risk
How? Discussion Can anyone talk about how they have their security processes aligned to a framework?
How? • Get organized • Organize program into a framework … to manage security Maybe call it … a “Security Management Framework” • Allows it to be managed • Provides ability to explain it • Shows gaps in program • Report on program health
What is a Security Management Framework? • A collection of SERVICES and PROCESSES along with important information about them, called ATTRIBUTES • Organized into a table • A Service is delivered through one or more processes Can have sub processes • Each (sub) process is defined by attributes 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 18  Description  Owner  Primary Resource  Backup Resource  Customer  Event Driven or Scheduled  Frequency  Process Details  Hours / Month  Annualized Hours  Metrics  Tools  Escalation Process  Process Maturity Rating  Process Improvement Project
Here’s a way Building your Security Management Framework (“SMF”)
Process Overview 1 • Choose Framework 2 • Choose Services 3 • Define Processes 4 • Add Attributes 5 • Populate Data 6 • Data Analysis 7 • Summarize Opportunities 8 • Risk Review with Management 9 • Update Risk Register 10 • Treat or Accept Risks 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 20
What do you need to start? A Security Framework and a Spreadsheet Start Simple 1. Pick a security standard / framework to align to NIST CSF will do 2. Choose what services you will perform 3. Define some processes you will follow to manage controls that are important to you. Who’s familiar with the NIST CSF? “The way to get started is to quit talking and begin doing.” -- Walt Disney
NIST Cybersecurity Framework • NIST • National Institute of Standards and Technology • https://www.nist.gov/cyberframework • 5 Functions • Identify • Protect • Detect • Respond • Recover • Broken out into 22 categories Categories are a good starting point for your Services • Further broken out into 98 subcategories • You can map processes to the categories for your SMF 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 22
“Cybersecurity Framework Overview” • The following slides are from NIST’s March 1, 2017 “Cybersecurity Framework Overview” virtual event. https://www.nist.gov/news- events/events/2017/03/cybersecurity- framework-virtual-events 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 23
Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
The Cybersecurity Framework... Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. Is consistent with voluntary international standards. Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
The Framework Is for Organizations… • Of any size, in any sector in (and outside of) the critical infrastructure. • That already have a mature cyber risk management and cybersecurity program. • That don’t yet have a cyber risk management or cybersecurity program. • Needing to keep up-to-date managing risks, facing business or societal threats. • In the federal government, too…since it is compatible with FISMA requirements and goals. Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
Core Cybersecurity Framework Component 27 Function Category ID What processes and assets need protection? Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT What techniques can identify incidents? Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM What techniques can restore capabilities? Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
Core Cybersecurity Framework Component 28 Function Category ID Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO Subcategory Informative References ID.BE-1: The organization’s role in the supply chain is identified and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA- 14 ID.BE-4: Dependencies and critical functions for delivery of critical services are established ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of critical services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP- 11, SA-14 28 Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
NIST Control Examples The Following Slides are NIST Control Examples • This was prepared for a ransomware talk • Info pulled from NIST’s document NISTIR 7621r1  “Small Business Information Security: The Fundamentals” • These are activities you may do (processes) • We will touch on a few 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 29
Identify Category Control Asset Management • Document where your systems and data are located • Endpoints (laptops / desktops) • Servers • Cloud services Governance • Create policies and procedures for information security that direct the activities you should perform to minimize probability of being affected by ransomware and reduce the impact of an attack. • Acceptable use • Backup and recovery • Security awareness training Risk Assessment • Perform risk assessments against environment to understand your threats and vulnerabilities • Information security program maturity assessments • Vulnerability assessments • Penetration tests 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 30
Protect (1 of 3) Category Control Access Control • Require individual user accounts for each employee • Assign users the least amount of access needed to function (least privilege principle) • Note: Limiting access to a user can reduce how much the ransomware can encrypt • Everything in all of their shared / mapped drives is at risk • Do not give users administrative rights to their computers • Chances of restoring files increased if user is not an admin. • Perform regular user access reviews • Remove unneeded access (especially when someone changes roles) Awareness and Training • Train your users when hired and at least annually • Don’t click on links in emails that you are not confident of • Learn to identify phishing attacks • Do not open unexpected emails or attachments • Ensure employees know who to call when they notice an issue. Quicker response can reduce impact. • Perform ransomware focused table top exercises 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 31
Protect (2 of 3) Category Control Data Security • Ensure antivirus / anti-malware, end point protection, endpoint detection and response tools are working and automatically updating Information Protection Processes & Procedures • Backups are conducted and tested frequently • Response and recovery plans / playbooks are in place and tested • Do you have a Ransomware Response Plan documented? See article: “What Should Be In Your Ransomware Response Plan” • Do you know how to acquire Bitcoin? • Can you assist your clients or firm with a large Bitcoin payment? • Have you coordinated with authorities as part of your planning process before an incident? • Do you have agreements in place with incident response professionals that specialize in ransomware response? • A vulnerability management plan is developed and implemented. • Ensure you are applying operating system and application security patches timely 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 32
Protect (3 of 3) Category Control Protective Technology • Block macros from running automatically in your Office software • Email Protections • Ensure you have anti-spam / anti-phishing protections in place • Block certain file-types from being delivered (.exe. files, .zip files, files with macros or scripts) • Alert when password protected files are sent. • They can’t be scanned and hackers use them to get past filters • Do not auto download pictures • Web / URL Filters – configure to block known malicious websites • Lock down volume shadow copies. • These are automatic file backups that you can revert to. Turning these off and deleting them is one of the first activities ransomware does before encrypting your data. 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 33
Detect Category Control Anomalies and Events • Ensure you have good logging in place and in a system that can alert you when the right combination of events occurs, like a SIEM (Security Information and Event Management) tool. • Ensure antivirus alerts are reviewed Security Continuous Monitoring • Make sure your antivirus tools are receiving updates (multiple times per day) and scanning regularly Detection Processes • Ensure someone is monitoring log events so they will know if something has happened. • You may be able to hire a managed service to review the most critical logs that would indicate an issue. 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 34
Respond Category Control Response Planning • Be sure to use the plans you built in the Protect function Communications • Ensure you know how to keep your stakeholders updated appropriately • Public Relations: Ensure everyone is clear on what to say to media and your clients. • Will your clients feel like you are in control of the situation? Analysis • When the alerts go off, based on your controls in the Detect function, make sure they are investigated Mitigation • Have plans in place to contain the incident quickly Improvements • Learn from previous incidents and improve your plans 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 35
Recover Category Control Recovery Planning • Check for decryption options. • Is there a master key available? Decryption tools are available for some variants. • If you are going to pay: • Do you have Bitcoin available? • Can you negotiate? • Can you get proof the decryption will work? • Restoration - Be prepared to recover your systems • Do you have a disaster recovery plan? • Have you tested your backup / recovery plans? • Ensure you close the vulnerability / holes of initial incident Communications • Continue managing the media and client expectations 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 36
Choose Some Categories For this exercise, I will choose a few categories for our services 1. Asset Management 2. Governance 3. Risk Assessment 4. Access Control 5. Awareness and Training 6. Data Security 7. Security Continuous Monitoring 8. Analysis 9. Improvements 10. Recovery Planning 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 37
Define Some Processes • Where can I find process descriptions? You can consider The Center for Internet Security’s Critical Security Controls  https://www.cisecurity.org/critical-controls.cfm o Originally developed in 2008 by SANS Institute* o In 2013 transferred to Council for Cyber Secuirty o In 2015 transferred to Center for Internet Security NIST 800-53r4, a catalog of security controls  https://nvd.nist.gov/800-53  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf • Use NIST CSF to map to the control reference in the “Informative References” column Let me show you how… * https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 38
NIST CSF “Informative References” 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 39 Council for Cyber Security / Center for Internet Security – Critical Security Controls NIST SP 800-53r4: Catalog of Security Controls
“Informative References” Closer Look 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 40 Council for Cyber Security / Center for Internet Security – Critical Security Controls NIST SP 800-53r4: Catalog of Security Controls
CIS CSC Example 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 41
NIST 800-53r4 Example 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 42
Process Build – Recap What we did: • Chose some information security services using the NIST CSF categories to run your operationalized information security program • Selected appropriate processes using the detailed control information from the “Informative References” column of the NIST CSF Now we will add those processes to our table. 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 43 1 • Choose Framework 2 • Choose Services 3 • Define Processes
Process Example 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 44
Process Example - Zoomed 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 45
What to Measure? • What data (attributes) about your processes do you want to track? • Earlier I suggested these attributes:  Description  Owner  Primary Resource  Backup Resource  Customer  Event Driven or Scheduled  Frequency  Process Details  Hours / Month  Annualized Hours  Metrics  Tools  Escalation Process  Process Maturity Rating  Process Improvement Project “If you can’t measure it, you can’t manage it.” --Peter Drucker
Example Framework • In the following example, the framework data is exaggerated • 4 process owners • 4 resources assigned to the processes • Fictional hours for the processes 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 47
Populate the Framework 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 48 • We’ve populated the framework. • Analysis:  There are some processes without backup resources  A total of 5640 resource-hours needed to perform the selected processes  We added some maturity ratings to the processes (more on that later)
Using the SMF • Analysis: What’s missing from your program Backup resources Efficient Tools  A lot is being done with spreadsheets, documents, and free tools • What can you do with your data? Perform a maturity review of your processes Create projects to increase process / program maturity Add up the FTE hours needed to execute the processes Track program metrics  How often have you executed each process on time?  When have processes not been completed and why?  Are processes taking more time than estimated to complete? Forecast security program budget You can add additional attributes  Cost to execute process  Risk of failing to perform process to specifications
Do The Math • Resource analysis • We have 4 resources • (Larry, Curly, Kramden, and Norton) • A resource is available 1296 hours after PTO, training, admin time, meetings… • 4 resources have 5184 hours available for operations • Add up the annual FTE hours in the SME to perform the work. • 5640 • The maths tell us there is a 456 hour deficit. • This is just an example. • We all know we work way more than 2080 hours • Don’t get caught up in the details – use the process • What else can you do? • Add up the project budget required to close the gaps Discussion 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 50 Annual Hours Hours left for operations 1 FTE 2080 2080 3 weeks PTO 120 1960 2 weeks training 80 1880 10% time on admin activities 208 1672 Allocation for various meetings 8 hours / week for working weeks 376 1296 Number Resources 4 Available hours for operations 5184 Total hours needed from SMF 5640 Hours Difference -456
Assess Maturity 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 51 http://en.wikipedia.org/wiki/File:Characteristics_of_Capability_Maturity_Model.svg
Assess Maturity
Explain Risks To Management • Show up with solutions, not problems • Get management buy-in on what must be done • Show management what can and cannot be done • Document risks in risk register Are they willing fund improvements? • Make your budget requests to close gaps and improve maturity • Get management signoff on risks This should not be your burden to bear • Spend your money wisely • If management doesn’t fund the program and doesn’t accept the risks? Update your resume Time to move on 53
Process Recap 1 • Choose Framework 2 • Choose Services 3 • Define Processes 4 • Add Attributes 5 • Populate Data 6 • Data Analysis 7 • Summarize Opportunities 8 • Risk Review with Management 9 • Update Risk Register 10 • Treat or Accept Risks 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 54
Discussion / Questions 4/6/2017© WynnSecure, LLC - www.WynnSecure.com 56

Recomendados

Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence MarketDatsun Arnold
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...Rea & Associates
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraKnowledge Group
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 

Recomendados

Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence MarketDatsun Arnold
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...
[ON-DEMAND WEBINAR] Managed Service Providers vs Managed Security Service Pro...Rea & Associates
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraKnowledge Group
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?PECB
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
Security - A Digital Transformation Enabler
Security - A Digital Transformation EnablerSecurity - A Digital Transformation Enabler
Security - A Digital Transformation EnablerAlexander Akinjayeju. MSc, CISM, Prince2
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingPhil Agcaoili
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Brad Deflin
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?PECB
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Cohesive Networks
 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Dawn Yankeelov
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...PECB
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 

Más contenido relacionado

La actualidad más candente

How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?PECB
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingPhil Agcaoili
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Brad Deflin
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?PECB
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Cohesive Networks
 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Dawn Yankeelov
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...PECB
 

La actualidad más candente (20)

How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Security - A Digital Transformation Enabler
Security - A Digital Transformation EnablerSecurity - A Digital Transformation Enabler
Security - A Digital Transformation Enabler
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
 

Similar a Build a Security Management Framework (SMF

Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...Cohesive Networks
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 

Similar a Build a Security Management Framework (SMF (20)

Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
 

Último

Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 

Último (20)

Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 

Build a Security Management Framework (SMF

  • 1. Improving Your Security Program Security Management Framework Joe Wynn President WynnSecure, LLC www.WynnSecure.com
  • 2. Joe Wynn • Founded WynnSecure, LLC in 2016 • Cofounded Seiso, LLC in 2017 • Held positions of CISO in higher education and energy sectors • Consulted in healthcare in a security leadership position • Built business-aligned security programs from ground up • Leads the delivery of executive-level information security strategy • Over 25 years experience in information technology • Over 20 years specializing in information security • Education • BS of Computer Science Degree from Duquesne University • Master’s Degree from Carnegie Mellon University • Earned CISSP and other certifications • Cofounder of BSidesPGH information security conference in 2011
  • 3. Agenda Why What’s the issue What are the problems What can you do Here’s a way Discussion
  • 4.
  • 5. Why be able to explain your program? So you can succeed 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 5
  • 6. So your company can succeed 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 6
  • 7. Companies are getting 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 7
  • 9. Why be able to explain your program? 4/6/2017© WynnSecure, LLC - www.WynnSecure.com 9
  • 10. What’s the Issue? Discussion Can anyone share why they think their program is successful?  What did you do to make it successful? Does your management think your program runs well? Are they aware of which parts of the program are well managed? What happens when the primary resource is out?  Who does the mandatory daily tasks?
  • 11. What’s the Issue? 1. Sometimes… 2. Explaining your information security program to executives  Which parts are well managed?  Which parts run ad hoc?  Easily calculate number of resources for a successful program?  Explain what risks are inherently being accepted?  Explain residual risks? 3. Not operationalizing the security program
  • 12. What’s the Problem? Discussion Does anyone have a story about “someone you know” who doesn’t complete all of the mandatory processes each day? What kinds of risks can this cause in ‘their” program? Do you have to fight for your budget and resources or does management just give it to you?
  • 13. What’s the Problem? • Skipped processes increase organizational information security risks • Management can’t make informed decisions on undocumented risks • Management doesn’t invest in undocumented programs
  • 14. What can you do? Discussion • What are program metrics? Anyone track those? • Who formally tracks risk appetite?
  • 15. What can you do? • Organize your program so it can be managed and communicated • Track your program’s metrics Not talking about technical metrics, like number of spam email or viruses seen.  Note: I looked it up… plural of virus is viruses, not viri. I’m talking about how well your processes are operating.  And if you have the right processes and they are working, then you will be on your path to good security. • Ensure your program operates within risk appetite tolerance • Request program investment for areas of unacceptable risk
  • 16. How? Discussion Can anyone talk about how they have their security processes aligned to a framework?
  • 17. How? • Get organized • Organize program into a framework … to manage security Maybe call it … a “Security Management Framework” • Allows it to be managed • Provides ability to explain it • Shows gaps in program • Report on program health
  • 18. What is a Security Management Framework? • A collection of SERVICES and PROCESSES along with important information about them, called ATTRIBUTES • Organized into a table • A Service is delivered through one or more processes Can have sub processes • Each (sub) process is defined by attributes 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 18  Description  Owner  Primary Resource  Backup Resource  Customer  Event Driven or Scheduled  Frequency  Process Details  Hours / Month  Annualized Hours  Metrics  Tools  Escalation Process  Process Maturity Rating  Process Improvement Project
  • 19. Here’s a way Building your Security Management Framework (“SMF”)
  • 20. Process Overview 1 • Choose Framework 2 • Choose Services 3 • Define Processes 4 • Add Attributes 5 • Populate Data 6 • Data Analysis 7 • Summarize Opportunities 8 • Risk Review with Management 9 • Update Risk Register 10 • Treat or Accept Risks 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 20
  • 21. What do you need to start? A Security Framework and a Spreadsheet Start Simple 1. Pick a security standard / framework to align to NIST CSF will do 2. Choose what services you will perform 3. Define some processes you will follow to manage controls that are important to you. Who’s familiar with the NIST CSF? “The way to get started is to quit talking and begin doing.” -- Walt Disney
  • 22. NIST Cybersecurity Framework • NIST • National Institute of Standards and Technology • https://www.nist.gov/cyberframework • 5 Functions • Identify • Protect • Detect • Respond • Recover • Broken out into 22 categories Categories are a good starting point for your Services • Further broken out into 98 subcategories • You can map processes to the categories for your SMF 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 22
  • 23. “Cybersecurity Framework Overview” • The following slides are from NIST’s March 1, 2017 “Cybersecurity Framework Overview” virtual event. https://www.nist.gov/news- events/events/2017/03/cybersecurity- framework-virtual-events 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 23
  • 24. Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
  • 25. The Cybersecurity Framework... Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. Is consistent with voluntary international standards. Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
  • 26. The Framework Is for Organizations… • Of any size, in any sector in (and outside of) the critical infrastructure. • That already have a mature cyber risk management and cybersecurity program. • That don’t yet have a cyber risk management or cybersecurity program. • Needing to keep up-to-date managing risks, facing business or societal threats. • In the federal government, too…since it is compatible with FISMA requirements and goals. Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
  • 27. Core Cybersecurity Framework Component 27 Function Category ID What processes and assets need protection? Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT What techniques can identify incidents? Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM What techniques can restore capabilities? Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
  • 28. Core Cybersecurity Framework Component 28 Function Category ID Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO Subcategory Informative References ID.BE-1: The organization’s role in the supply chain is identified and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA- 14 ID.BE-4: Dependencies and critical functions for delivery of critical services are established ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of critical services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP- 11, SA-14 28 Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
  • 29. NIST Control Examples The Following Slides are NIST Control Examples • This was prepared for a ransomware talk • Info pulled from NIST’s document NISTIR 7621r1  “Small Business Information Security: The Fundamentals” • These are activities you may do (processes) • We will touch on a few 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 29
  • 30. Identify Category Control Asset Management • Document where your systems and data are located • Endpoints (laptops / desktops) • Servers • Cloud services Governance • Create policies and procedures for information security that direct the activities you should perform to minimize probability of being affected by ransomware and reduce the impact of an attack. • Acceptable use • Backup and recovery • Security awareness training Risk Assessment • Perform risk assessments against environment to understand your threats and vulnerabilities • Information security program maturity assessments • Vulnerability assessments • Penetration tests 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 30
  • 31. Protect (1 of 3) Category Control Access Control • Require individual user accounts for each employee • Assign users the least amount of access needed to function (least privilege principle) • Note: Limiting access to a user can reduce how much the ransomware can encrypt • Everything in all of their shared / mapped drives is at risk • Do not give users administrative rights to their computers • Chances of restoring files increased if user is not an admin. • Perform regular user access reviews • Remove unneeded access (especially when someone changes roles) Awareness and Training • Train your users when hired and at least annually • Don’t click on links in emails that you are not confident of • Learn to identify phishing attacks • Do not open unexpected emails or attachments • Ensure employees know who to call when they notice an issue. Quicker response can reduce impact. • Perform ransomware focused table top exercises 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 31
  • 32. Protect (2 of 3) Category Control Data Security • Ensure antivirus / anti-malware, end point protection, endpoint detection and response tools are working and automatically updating Information Protection Processes & Procedures • Backups are conducted and tested frequently • Response and recovery plans / playbooks are in place and tested • Do you have a Ransomware Response Plan documented? See article: “What Should Be In Your Ransomware Response Plan” • Do you know how to acquire Bitcoin? • Can you assist your clients or firm with a large Bitcoin payment? • Have you coordinated with authorities as part of your planning process before an incident? • Do you have agreements in place with incident response professionals that specialize in ransomware response? • A vulnerability management plan is developed and implemented. • Ensure you are applying operating system and application security patches timely 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 32
  • 33. Protect (3 of 3) Category Control Protective Technology • Block macros from running automatically in your Office software • Email Protections • Ensure you have anti-spam / anti-phishing protections in place • Block certain file-types from being delivered (.exe. files, .zip files, files with macros or scripts) • Alert when password protected files are sent. • They can’t be scanned and hackers use them to get past filters • Do not auto download pictures • Web / URL Filters – configure to block known malicious websites • Lock down volume shadow copies. • These are automatic file backups that you can revert to. Turning these off and deleting them is one of the first activities ransomware does before encrypting your data. 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 33
  • 34. Detect Category Control Anomalies and Events • Ensure you have good logging in place and in a system that can alert you when the right combination of events occurs, like a SIEM (Security Information and Event Management) tool. • Ensure antivirus alerts are reviewed Security Continuous Monitoring • Make sure your antivirus tools are receiving updates (multiple times per day) and scanning regularly Detection Processes • Ensure someone is monitoring log events so they will know if something has happened. • You may be able to hire a managed service to review the most critical logs that would indicate an issue. 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 34
  • 35. Respond Category Control Response Planning • Be sure to use the plans you built in the Protect function Communications • Ensure you know how to keep your stakeholders updated appropriately • Public Relations: Ensure everyone is clear on what to say to media and your clients. • Will your clients feel like you are in control of the situation? Analysis • When the alerts go off, based on your controls in the Detect function, make sure they are investigated Mitigation • Have plans in place to contain the incident quickly Improvements • Learn from previous incidents and improve your plans 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 35
  • 36. Recover Category Control Recovery Planning • Check for decryption options. • Is there a master key available? Decryption tools are available for some variants. • If you are going to pay: • Do you have Bitcoin available? • Can you negotiate? • Can you get proof the decryption will work? • Restoration - Be prepared to recover your systems • Do you have a disaster recovery plan? • Have you tested your backup / recovery plans? • Ensure you close the vulnerability / holes of initial incident Communications • Continue managing the media and client expectations 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 36
  • 37. Choose Some Categories For this exercise, I will choose a few categories for our services 1. Asset Management 2. Governance 3. Risk Assessment 4. Access Control 5. Awareness and Training 6. Data Security 7. Security Continuous Monitoring 8. Analysis 9. Improvements 10. Recovery Planning 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 37
  • 38. Define Some Processes • Where can I find process descriptions? You can consider The Center for Internet Security’s Critical Security Controls  https://www.cisecurity.org/critical-controls.cfm o Originally developed in 2008 by SANS Institute* o In 2013 transferred to Council for Cyber Secuirty o In 2015 transferred to Center for Internet Security NIST 800-53r4, a catalog of security controls  https://nvd.nist.gov/800-53  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf • Use NIST CSF to map to the control reference in the “Informative References” column Let me show you how… * https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 38
  • 39. NIST CSF “Informative References” 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 39 Council for Cyber Security / Center for Internet Security – Critical Security Controls NIST SP 800-53r4: Catalog of Security Controls
  • 40. “Informative References” Closer Look 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 40 Council for Cyber Security / Center for Internet Security – Critical Security Controls NIST SP 800-53r4: Catalog of Security Controls
  • 41. CIS CSC Example 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 41
  • 42. NIST 800-53r4 Example 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 42
  • 43. Process Build – Recap What we did: • Chose some information security services using the NIST CSF categories to run your operationalized information security program • Selected appropriate processes using the detailed control information from the “Informative References” column of the NIST CSF Now we will add those processes to our table. 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 43 1 • Choose Framework 2 • Choose Services 3 • Define Processes
  • 44. Process Example 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 44
  • 45. Process Example - Zoomed 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 45
  • 46. What to Measure? • What data (attributes) about your processes do you want to track? • Earlier I suggested these attributes:  Description  Owner  Primary Resource  Backup Resource  Customer  Event Driven or Scheduled  Frequency  Process Details  Hours / Month  Annualized Hours  Metrics  Tools  Escalation Process  Process Maturity Rating  Process Improvement Project “If you can’t measure it, you can’t manage it.” --Peter Drucker
  • 47. Example Framework • In the following example, the framework data is exaggerated • 4 process owners • 4 resources assigned to the processes • Fictional hours for the processes 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 47
  • 48. Populate the Framework 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 48 • We’ve populated the framework. • Analysis:  There are some processes without backup resources  A total of 5640 resource-hours needed to perform the selected processes  We added some maturity ratings to the processes (more on that later)
  • 49. Using the SMF • Analysis: What’s missing from your program Backup resources Efficient Tools  A lot is being done with spreadsheets, documents, and free tools • What can you do with your data? Perform a maturity review of your processes Create projects to increase process / program maturity Add up the FTE hours needed to execute the processes Track program metrics  How often have you executed each process on time?  When have processes not been completed and why?  Are processes taking more time than estimated to complete? Forecast security program budget You can add additional attributes  Cost to execute process  Risk of failing to perform process to specifications
  • 50. Do The Math • Resource analysis • We have 4 resources • (Larry, Curly, Kramden, and Norton) • A resource is available 1296 hours after PTO, training, admin time, meetings… • 4 resources have 5184 hours available for operations • Add up the annual FTE hours in the SME to perform the work. • 5640 • The maths tell us there is a 456 hour deficit. • This is just an example. • We all know we work way more than 2080 hours • Don’t get caught up in the details – use the process • What else can you do? • Add up the project budget required to close the gaps Discussion 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 50 Annual Hours Hours left for operations 1 FTE 2080 2080 3 weeks PTO 120 1960 2 weeks training 80 1880 10% time on admin activities 208 1672 Allocation for various meetings 8 hours / week for working weeks 376 1296 Number Resources 4 Available hours for operations 5184 Total hours needed from SMF 5640 Hours Difference -456
  • 51. Assess Maturity 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 51 http://en.wikipedia.org/wiki/File:Characteristics_of_Capability_Maturity_Model.svg
  • 53. Explain Risks To Management • Show up with solutions, not problems • Get management buy-in on what must be done • Show management what can and cannot be done • Document risks in risk register Are they willing fund improvements? • Make your budget requests to close gaps and improve maturity • Get management signoff on risks This should not be your burden to bear • Spend your money wisely • If management doesn’t fund the program and doesn’t accept the risks? Update your resume Time to move on 53
  • 54. Process Recap 1 • Choose Framework 2 • Choose Services 3 • Define Processes 4 • Add Attributes 5 • Populate Data 6 • Data Analysis 7 • Summarize Opportunities 8 • Risk Review with Management 9 • Update Risk Register 10 • Treat or Accept Risks 4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 54
  • 55.
  • 56. Discussion / Questions 4/6/2017© WynnSecure, LLC - www.WynnSecure.com 56