Presented by Evan Francen at the 2012 RK Dixon Tech Summit
What drives information security in your organization?
What is information security?
Customer requirements
Compliance
Compliant = Secure?
Solution - Strategic Information Security
Top Five Things You Should Do (Tactically & Strategically)
Need Help? – Contact Us!
Regression analysis: Simple Linear Regression Multiple Linear Regression
Information Security in a Compliance World
1. Information Security in a
Compliance World
RK Dixon Tech Summit ‘12 – November 7, 2012
Presented by Evan Francen, President – FRSecure, LLC
http://www.frsecure.com | 952-467-6384
2. Introduction
Thank you for attending!
Thank you to RK Dixon for inviting us!
http://www.frsecure.com | 952-467-6384
3. Introduction
Before we get started:
• This is not your typical presentation.
• What you have to say is as important as what I am
going to tell you.
• You are encouraged to participate!
I will ask you questions, if you don’t ask me some!
http://www.frsecure.com | 952-467-6384
4. Introduction
FRSecure
• Information security consulting company – it’s all
we do.
• Established in 2008 by people who have earned
their stripes in the field.
• We help small to medium sized organizations
solve information security challenges.
http://www.frsecure.com | 952-467-6384
5. Introduction
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
http://www.frsecure.com | 952-467-6384
6. Introduction
Topics
• What drives information security in your organization?
• What is information security?
• Customer requirements
• Compliance
• Compliant = Secure?
• Solution - Strategic Information Security
• Top Five Things You Should Do (Tactically & Strategically)
• Need Help? – Contact Us!
http://www.frsecure.com | 952-467-6384
7. What drives information security
at your organization?
This is a question for you?
http://www.frsecure.com | 952-467-6384
8. Maybe an explanation of
information security would help…
In your opinion/words, what is
information security?
http://www.frsecure.com | 952-467-6384
10. Information Security Is Not an IT Issue
The application of Administrative, Physical and Technical controls in an effort
to protect the Confidentiality, Integrity, and Availability of Information.
IT-centric information security over-emphasizes Technical Control, often at
the expense of Administrative and Physical Control.
IT-centric information security also places an over-emphasis on Availability of
systems, sometimes at the expense of Confidentiality and Integrity.
http://www.frsecure.com | 952-467-6384
11. Back to our question; what drives information
security at your organization?
Customer Requirements?
Regulations?
• HIPAA, GLBA, FTC, FERPA, Computer Fraud and Abuse Act, etc.
Risk?
Really, there is only one good answer.
http://www.frsecure.com | 952-467-6384
12. Customer Requirements
What’s the problem with customer
requirements?
• Different customers, different requirements
• Customers don’t know your business like you do
• Customer protection is more important than your success
• Customers are probably more confused than you are
Should the basis of your information security strategy be customer
requirements?
http://www.frsecure.com | 952-467-6384
13. What’s the problem with compliance?
• You’re in business to make money, right?
• Information security is not one size fits all
• Regulators and examiners are not information security
professionals
• Compliance is confusing, yes?
Should the basis of your information security strategy be compliance?
http://www.frsecure.com | 952-467-6384
14. Compliant DOESN’T mean Secure!
Today’s compliance landscape is confusing!
Federal Regulations:
• HIPAA, GLBA, FTC, FERPA, Computer Fraud and Abuse Act, etc.
State Regulations:
• Breach notification laws, data destruction laws, data protection laws
Industry Regulations:
• Payment Card Industry Data Security Standard (PCI-DSS)
Customer Requirements:
• Good luck!
http://www.frsecure.com | 952-467-6384
15. Solution – A strategic approach to information
security
Principles of strategic information security:
• Alignment with business objectives
• It’s all about people – culture
• Management involvement
• Proactive vs. Reactive
• Forward-looking
• Formal
OWN IT!
http://www.frsecure.com | 952-467-6384
16. Top Five Things for You To Do
#1 – Conduct a risk assessment
• Where are your most significant risks?
• What risk is the highest (priority)?
• How will we justify our existence (expenditures)?
• How do we measure what we’re doing?
http://www.frsecure.com | 952-467-6384
17. Top Five Things for You To Do
#2 – Documented Policies & Procedures
• Policies are one tool we use to set culture.
• What is management’s view?
• Nobody reads policy, bummer.
• People are the biggest risk.
• Policies set direction and governance
http://www.frsecure.com | 952-467-6384
18. Top Five Things for You To Do
#3 – Patch your systems & install antivirus
• Together, not one in lieu of the other
• Might be a pain, but it’s worth it (trust me)
• This is the song that never ends…
http://www.frsecure.com | 952-467-6384
19. Top Five Things for You To Do
#4 – Training & Awareness
• How do users know what to do if you don’t tell them?
• Remember culture?
http://www.frsecure.com | 952-467-6384
20. Top Five Things for You To Do
#5 – Incident Response
http://www.frsecure.com | 952-467-6384
21. DON’T FORGET
Sometimes information security professionals forget
this fact!
• Not all risks require mitigation/remediation
• Information security must be strategic
• Information security strategy must align with business strategy
• Avoid business vs. information security scenarios
• Information security controls should be as transparent as possible
http://www.frsecure.com | 952-467-6384
22. Top Five Things for You To Do
BONUS
Govern mobile devices
• Data doesn’t stay home anymore
• How do you protect data on mobile devices?
http://www.frsecure.com | 952-467-6384
23. How we help – Risk Assessment
http://www.frsecure.com | 952-467-6384
24. How we help – Risk Management (Build &
Manage)
http://www.frsecure.com | 952-467-6384