Slides from my information security management talk at a CalCPA Society Meeting. This story-filled non-technical talk provides real-world guidance executives and their boards need to meet the challenge of cybercrime. - Why Care: Business Implications of Cyber Crime. - The Critical Four: Key Questions for Managing Information Risk. - Why Are We So Vulnerable? Three Inconvenient Truths. - We Have a Firewall and Antivirus. Isn’t This Enough? - What Are We Supposed to Do: Information Security Management Objectives. - How Do We Do It: The Six Key Information Security Management Strategies. - Leadership and Culture: The Final Frontier.

1. Meeting the Information Security Management
Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.
President
Citadel Information Group
May 2016

2. 2
The number one thing at the Board level and CEO level is to take
cybersecurity as seriously as you take business operations and
financial operations. It’s not good enough to go to your CIO and
say “are we good to go.” You’ve got to be able to ask questions
and understand the answers.
Major Gen Brett Williams, U.S. Air Force (Ret)
This Week with George Stephanopoulos, December 2014

4. Online Fraud: Business Email Compromise
Deceives Controller
4
From: Your Vendor, Stan
Sent: Sunday, December 28, 2014 12:07 PM
To: Bill Hopkins, Controller
Subject: Change of Bank Account
Hi Bill – Just an alert to let you know we’ve changed banks.
Please use the following from now on in wiring our payments.
RTN: 123456789 Account: 0010254742631
I’m still planning to be out your way in February. It will be nice
to get out of the cold Montreal winter.
Great thanks.
Cheers - Stan
_________________________
The secret of success is honesty and fair-dealing.
If you can fake that, you’ve got it made ... Groucho Marx

5. Company Loses $46 Million to Online Fraud
5

6. FBI Reports $2.3 Billion Lost to Business
Email Compromise

7. Your Money or Your Data: Ransomware
Viruses Reach Epidemic Proportions
7
Hollywood Presbyterian Medical Center
paid $17,000 to ransomware hackers

8. Epidemic of Credit Card Theft … Medical
Records Theft … Personnel Records Theft
8

9. Data Breach Costs Expensive.
Money Down the Drain.
 Approximately $150 Per
Compromised Record
 $15 Million Per Event
 Investigative Costs
 Breach Disclosure Costs
 Legal Fees
 Identity Theft Monitoring
 Lawsuits
 Customers
 Shareholders
http://www.ponemon.org/index.php
9

10. Competitor Steals Information. Bankrupts
Company.
10

11. Intellectual Property Theft —Economic Death
by a Thousand Cuts
11

12. Disgruntled Employees Sabotage Systems,
Steal Information and Extort Money
12

13. Organizations Attacked Because Someone
Didn’t Like What They Stood For
13

14. The Bottom Line: Cyber Security Management
Is Now An Executive Management Necessity
 Customer Information
 Credit Cards and PCI Compliance
 HIPAA Security Rule
 Breach Disclosure Laws
 On-Line Bank Fraud & Embezzlement
 Theft of Trade Secrets & Other
Intellectual Property
 Critical Information Made Unavailable
 Systems Used for Illegal Purposes
14

15. Cybercrime’s Greatest Impact is on Small
& Medium Sized Organizations
 30% of victims have
fewer than 250
employees
 60% of small-
business victims are
out of business
within 6 months
 80% of breaches
preventable with
basic security
15

16. Managing Information Risk — Four Key
Questions
1. How serious is cybercrime and why
should my organization care?
2. How vulnerable are we, really?
3. What do we need to do?
4. How do we do it?
16

17. Internet not designed to be secure
Computer technology is riddled with security
holes
We humans are also imperfect
Why Are We so Vulnerable?
Three Inconvenient Truths
17

18. Cyber Security Need vs. Reality
18

19. http://www.citibank.
com.us.welcome.c.tr
ack.bridge.metrics.po
rtal.jps.signon.online.
sessionid.ssl.secure.
gkkvnxs62qufdtl83ldz
.udaql9ime4bn1siact
3f.uwu2e4phxrm31jy
mlgaz.9rjfkbl26xnjskx
ltu5o.aq7tr61oy0cmbi
0snacj.4yqvgfy5geuu
xeefcoe7.paroquian
sdores.org/
Phishing: Users Unwittingly Open the
Door to Cybercrime
19

20. Vendors an Increasing Information
Security Risk
20

21. Visiting a Website Can Expose You to
Cyberattack
21

22. Clicking an Ad Can Expose You to
Cyberattack
22

23. Cyberattacks Succeed Because of
Flaws — Vulnerabilities — in Programs
23

24. Technology Solutions Are Inadequate to
Challenge
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
24

25. Management Too Often Fails to Set
Security Standards for IT Network
Senior
Management
IT Head
That’s great
Bob. We’re all
counting on
you.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
Yes sir.
Everything’s
fine.
Hi Bob.
Things
good?
I appreciate
that sir.

26. Management Too Often Fails to Properly
Fund IT Network Security
26
Senior
Management
IT Head
I understand.
But you know
how tight
budgets are.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
We need a
BYOD
Solution.
Hi Bob.
Things
good?
I do. Yes sir.

27. We Make It Way Too Easy: 80% of
Breaches are “Low Difficulty”
 Inadequate training
of people
 Inadequate security
management of IT
networks
 Inadequate
involvement by
senior management
27
Verizon 2015 Data Breach Investigations Report:
http://www.verizonenterprise.com/DBIR/

28. Securing Your Organization28
Distrust and caution are
the parents of security.
Benjamin Franklin

29. The Objective of Information Security
Management is to Manage Information Risk
 Cyber Fraud
 Information Theft
 Ransomware
 Denial of Service
Attack
 Regulatory /
Compliance
 Disaster
Loss of Money … Brand Value … Competitive
Advantage

30. The Four Elements of Information Risk
 Confidentiality … Assuring information is only
accessible to those authorized to use it
 Integrity … Assuring that information is changed in
accordance with authorized procedures by
authorized people
 Availability … Assuring that information and
systems are available to users when they need it
 Authenticity … Assuring that a received message is
really from the purported sender
30

31. The Information Security Management
Chain
31
Identify Detect Respond RecoverProtect
Continuous Security Management Improvement
Risk Transfer and Insurance
Legal and Regulatory Framework
Based Upon:
1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014
2. International Standards Organization 27001:2013: Information technology— Security techniques —
Information security management systems — Requirements
3. Porter Value Chain: Understanding How Value is Created Within Organizations

32. Don’t Try to Reinvent Wheel: Use an Accepted
Information Security Management Framework
 Information Security Policies
 Organization of Information
Security
 Human Resource Security
 Asset Management
 Access Control
 Cryptography
 Physical / Environmental
Security
 Operations Security
 Communications Security
 System Acquisition,
Development & Maintenance
 Supplier Relationships
 Information Security Incident
Management
 Information Security Aspects of
Business Continuity
Management
 Compliance
32

33. Manage Information Security Like
Everything Else. Establish Leadership.
33
An organization's ability
to learn, and translate
that learning into action
rapidly, is the ultimate
competitive advantage.
Jack Welch

34. Take Specific Action to Protect Against
Online Financial Fraud
 Implement Internal Controls
Over Payee Change Requests
 Assume all email or fax requests
from vendors or company
President are fraudulent
 Use Out-of-Band Confirmation
 Use Dedicated On-Line Banking
Workstation
 Keep Patched
 Use Only for On-Line Banking
 Work with Bank
 Dual Control
 Out-Of-Band Confirmation
 Strong Controls on Wires
34
See our blog:
https://citadel-
information.com/2016/02/business-
e-mail-compromise-dont-be-a-
victim/

35. Know What Information Needs To Be
Protected and Where It Is
35
Online Banking Credentials
Credit cards
Employee Health Information
Salaries
Trade Secrets
Intellectual Property
Customer Information
Servers
Desktops
Cloud
Home PCs
BYOD devices

36. Implement Written Information Security
Management Policies and Standards
36

37. Train Staff to Be Mindful.
Provide Phishing Defense Training.
37

38. Provide Information Security Education.
Change Culture.
38
If you do not know
your enemies nor
yourself, you will be
imperiled in every
single battle.

39. Ensure IT has Aggressive Vulnerability and
Patch Management Program.
39

40. Require Vendors to Meet Security
Management Standards
 Security Management included in
Service Level Agreements
 Comply with Information Security
Standards
 Business Associate Agreements
(HIPAA)
 Information Security Continuing
Education
40

41. Make Sure Critical Information Available
in Disaster or Ransomware Attack
41
Trust … But Verify.

42. Be Prepared: It’s Not “If” But “When”
42

43. Getting Started: Implement Basics. Assess
IT Security. Develop Strategy.
43
Put Someone in
Charge
Review IT
Network
Management
Compliance with
Security
Standards
Conduct IT
Network
Vulnerability
Scan
Establish Policies
& Standards
Train Staff
Develop Strategy

44. Create Steering Committee to Manage
Ongoing Information Security
44
Leadership & Organizational Improvements
Security Management of IT Network
Security Improvements to IT Network
Improve constantly and
forever the system of
production and service, to
improve quality and
productivity, and thus
constantly decrease costs
W. Edwards Deming
14 Key Principles for Improving
Organizational Effectiveness

45. Join a Secure The Village Roundtable
45

46. Summary: Manage Security of Information as
Rigorously as Operations & Finance
Implement Formal Information Security Management System
1. Information Security Manager / Chief Information
Security Officer
a. Independent C-Suite Access
b. Provide Cross-Functional Support
c. Support with Subject-Matter Expertise
2. Implement Formal Risk-Driven Information Security
Policies and Standards
3. Identify, Document and Control Sensitive Information
4. Train and Educate Personnel. Change Culture.
5. Manage Vendor Security
6. Manage IT Infrastructure from “information security point
of view”
46

47. Security is Proactively Managed
mation Security Standard of Care
Information Security Proactively Managed
Commercially Reasonable Information Security Practices
Lower Total Cost of Information Security SM

48. Citadel Information Group: Who We Are
48
Stan Stahl, Ph.D
Co-Founder & President
35+ Years Experience
Reagan White House
Nuclear Missile Control
Kimberly Pease,
CISSP
Co-Founder & VP
Former CIO
15+ Years Information
Security Experience
David Lam, CISSP, CPP
VP Technology
Management Services
Former CIO
20+ Years Information
Security Experience

49. Citadel Information Group: What We Do
49
Deliver Information Peace of Mind SM
to Business and the Not-for-Profit Community
Cyber Security Management Services
Information Security Leadership
Information Security Management Consulting & Coaching
Assessments & Reviews … Executive Management …Technical Management
Secure Network Engineering … Secure Software Engineering
Incident Response / Business Continuity Planning
Adverse Termination

50. For More Information
Stan Stahl Stan@citadel-information.com 323-428-0441
LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.com
Information Security Resource Library
Free: Cyber Security News of the Week
Free: Weekend Vulnerability and Patch Report
50

51. Meeting the Information Security Management
Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.
President
Citadel Information Group