© 2008 jupitermedia corporation choosing security management solutions for your it infrastructure...

© 2008 Jupitermedia Corporation

Choosing Security Management Solutions for Your IT Infrastructure

March 24, 20092:00pm EDT, 11:00am PDT

George Spafford, Principal ConsultantPepperweed Consulting, LLC“IT Value. Realized.”http://www.pepperweed.com


Housekeeping

• Submitting questions to speaker– Type question into small box in the Chat (Q&A) window on

the left and click the arrow button.– Questions will be answered during 10 minute Q&A session at

end of webcast.

• Technical difficulties?– Click on “Help” from top menu – select “Troubleshooting” to

test system, get FAQ– Or get tech support via Q&A tool


Main Presentation


Agenda

• A RFP Process

• Identifying Automation Requirements

• Assembling a RFP

• Evaluation

Slides available by emailing:

[email protected]

Or

[email protected]


Manage the RFP Process (1)

• Manage as a project• Requirements Management• Prospective Vendor Identification• Notify Vendors of Opportunity to Bid• Send Request for Proposal

– Contact information of proposal manager (keep formal)– Deadline for questions and response method– Deadline for final submission– Expected Selection Date– Notification of others parties (not the winners)


Manage the RFP Process (2)

• Plan on one to two rounds for selection• Internal response review management

– Demos

– Reference Checking

– Internal stakeholder management

• Notification of winner– Consider backups


Agenda

• A RFP Process


– Background

– Controls and Processes

– Automation Requirements


• Evaluation Slides available by emailing:

[email protected]

Or

[email protected]


Information Security’s Big Problems

• Lack of Staff• Lack of Budget• Lack of Time

• Lack of Knowledge• Lack of Focus

• Can’t necessarily fix the first three short-term– Actually, probably shouldn’t even try the first two without

understanding more

• Can Address the Last Two


Traditional Start: Risk Management

• Can’t protect everything – shouldn’t even try

• Risk = Probability x Business Impact

• Risk Management– Identification / Recognition– Analysis– Mitigation– Evaluation / Re-evaluation (The “Plan, Do, Check, Act” cycle)

• Sounds easy? It isn’t

• A veneer of numbers over subjective estimates

• Does help with ranking

• Biggest concern – time to assemble and execute a basic risk management program (or even ERM)


Situational Awareness

• Can’t wait forever to collect and analyze risk data• Need Situational Awareness• Establish what matters to the business• Do some initial homework

– Review past audits, annual and quarterly reports, etc.

• Understand what executives worry about– Interview them – “So, what keeps you awake at night?”

• Involve audit, compliance, legal counsel• Public facing systems vs. Internal systems• Need to understand what threatens what matters• We must focus – Rule out the irrelevant


Establishing the Technology Landscape

• Translate the business worry list into processes• Again, we must focus• What technologies are used at the various layers?

– Network– Server– Database– Application

• What standards are in place?– In other words, are they all uniquely configured snowflakes?


Types of Controls

• Preventive – Prevent Unwanted Event– Policies and procedures

• Detective – Discover After-The-Fact– Log review, Integrity review tool

• Corrective – Return to Last Approved State– Restore from backup, package deployment

• Event Trigger – Manual or Automatic– Tool alarm, database criteria

• Response – Manual or Automatic– Manual operator review and intervention– Auto-response such as quarantine, machine shutdown, restore

virtual machine


Processes

• Assembly of tasks assembled to achieve an objective

• Extremely beneficial to think in terms of processes

• Inputs, outputs, sub-processes, roles, metrics

• Formalization and repeatable results

• Can have processes without controls seemingly be

effective in the short-term (they’re lucky)

• Can’t have effective controls without processes

• Continuous process improvement tools


To Learn More - Visible Ops Security

• Published March 2008 by the ITPI

• Phase 1 – Stabilize the Patient and Get Plugged into Production

• Phase 2 – Find Business Risks and Fix Fragile Artifacts

• Phase 3 – Implement Development and Release Controls

• Phase 4 – Continual Improvement

• Available from ITPI or Amazon.com


Identifying Automation Requirements (1)

• Assemble team with needed perspectives – not just who is available

• Begin with the IT General Controls (ITGCs)

• Moving forward, automate to:– Reduce residual risks to an acceptable level

• Probabilistic in nature – not certain• Inherent Risk = No mitigation• Residual Risk = Inherent Risk less Mitigation• Management defines what is acceptable• Note – human error is a risk (users, IT and information security)

– Break constraints• Known / certain vs. probabilistic risk• Think of a length of chain• Unless you address the constraint, the throughput of the system will not

increase


Identifying Automation Requirements (2)

• Think in terms of– People – policies, procedures, training, cultural change, etc.

– Processes – assess, design, implement, improve

– Technology – integration, capacity, dependencies, and so on

• Critical to have a holistic systemic approach– Think in terms of services – what to protect and how to protect

– Many aspects of security are best thought of as services

• Assemble functional requirements• Rank requirements

– Must-haves and nice-to-haves

– Could be additional categories 1(mandatory) – 5(optional)

– Need to be able to trade off


Agenda

• A RFP Process



• Evaluation


[email protected]

Or

[email protected]


Leverage Procurement

• Procurement’s objectivity and specialization can help– Negotiation is a skill

– Experience yields insight

• Organizational Terms & Conditions– Payment structuring

– Dispute settlement

– IP ownership

– Non-competes

– No-hire clauses

– Derivative works

• Do you understand the topic/need/technology enough to even structure a RFP?– May need objective third party


Structuring a RFP – Software

• Purchase price (and lock in pricing for x years)• Support pricing (and lock in pricing for x years)• Service Levels

– Support– Changes

• Implementation• Documentation• Adherence to organizational standards in general

– Information security, structured development, testing, integration, etc.

• Training• Deadlines• Trial period


Structuring a RFP- Services• Purchase price (and lock in pricing for x years)• Support pricing (and lock in pricing for x years)• Service Level Requirements

– Response time for service– Storage Current and Forecast– Security Standards and Response Times– Incident and Problem Response Times– Change Requests

• Implementation• Documentation• Adherence to organizational standards in general• Training – users, IT operations, info sec, etc.• Deadlines• Trial Period


Identify Prospective Vendors

• Current Vendors / Past Work

• Word of Mouth / Networking / References

• Leverage Analysts

• Trade Media

• WWW / Google

• Industry Partners

• Professional Associations


Agenda

• A RFP Process



• Evaluation


[email protected]

Or

[email protected]


Evaluating Vendors (looking beyond tools)• Financial Health

– Will they be around?

• Experience– How many times have they done this before you?– Do they have reference customers?

• Create “derived” references from their provided references

– Google can be your friend to learn more

• Culture– Can your organization and people work with them?

• Approach / Standards / Methodology– Do they have a formal method?– How does it align with your approach?

• Vision and Strategic Direction– Do they align with your needs?


Selecting the Vendor & Solution

• To re-iterate - Involve the right stakeholders on your end during the selection process and scoring

• Create weighted scoring sheet from requirements including the vendor-level questions– Weight the most important requirements higher – Have reviewers score the proposed solution from 0 to 5

• O=Does not meet the requirement at all. • 5=Solution exceeds this requirements

• Ask for formal responses from vendors (in writing just in case)• Ask for demos (beware of smoke and mirrors)• Factor in the references• May need two rounds

– Reflect information learned during the process– To focus efforts on the finalists


Suggestion – Start, Learn and Evolve• The first step is only the

beginning of a journey

• Needs will change as technologies and the world changes

• Leverage metrics where possible to track status

• Conduct quarterly reviews of progress

• Formally schedule reviews to assess the current state and look for new opportunities

• Always look for new opportunities and threats

Where do we want to be?

Where are we now?

How do we get to where we want to be?

How do we monitorProgress?

Vision and Objectives

Audits / Assessments

Process Improvement(Leverage Best Practices)

Metrics and Critical Success Factors


Thank you for the privilege of facilitating this webcast

George [email protected]

http://www.pepperweed.com

The News - Archive, RSS and Email Subscription Instructionshttp://www.spaffordconsulting.com/dailynews.html

(Covers IT management, business, energy, security and a host of other topics)


Placeholder for IBM Slides


Questions?


Thank you for attending

If you have any further questions, e-mail [email protected]

For future internet.com Webcasts, visit www.internet.com/webcasts

© 2008 jupitermedia corporation choosing security management solutions for your it infrastructure...

Documents