5/4/2012

1

Sustain

Building Block or Appendage

Presented by: Andrew A. Nooks

CISSP, CISA, 

CISM, CRISC

Execute

Grow

AliciaMarlon

Cer Alka

• A bit about me

• More about you

5/4/2012

2

• Definitions

• Why information security is important• Why information security is important

• Managing security risks

• Security incident response

DEFINITIONS

5/4/2012

3

BUILDING BLOCK

• Element or integral part of somethingElement or integral part of something

– Aligned

– Threat Resistant

– Reduce Risk

– Appropriate Value

– Sustainable

• Subordinate part attached to something

– Reactive

– Quick fix

– Temporary

– Not Aligned

5/4/2012

4

• Protecting information and information f i d dassets from unintended:

– access

– usage 

– disclosure 

– disruption 

difi i– modification 

– inspection 

– recording or destruction

Utility

Accuracy

Authenticity

Integrity

AvailabilityConfidentiality

Secure Information

5/4/2012

5

Technology Security

• Firewall

• IDS/IPS

Information Security

• Intellectual Property

• Business/Financial IntegrityIDS/IPS

• Malware

• Encryption

• Operating System

Business/Financial Integrity

• Compliance

• Industrial Espionage

• Confidentiality

IMPORTANCE OF INFORMATION SECURITY

5/4/2012

6

• A threat is an object, person, or other entity that represents a constant dangerentity that represents a constant danger to an asset

– System Failures

– Human Errors

– Acts of Nature

– Deliberate Attacks

• People committed to circumvention of computer securitycomputer security. – Competitors

– Employees

– Contractors

– Ethical Security professionals

Neighbors– Neighbors

– Friends

– Customers

– Our Children

5/4/2012

7

ATTACK METHODS

• Electronic 

• Physical

• Human (Social Engineering)

Reputation

Compliance

FinancialHuman

Reputation

5/4/2012

8

•If you do not know your enemies nor yourself, you will lose every single battle.

•If you do not know your enemies but do know yourself, you will win one and lose one; 

•If you know your enemies and know yourself, you will not lose in a hundred battles; •Adapted from Sun Tzu’s “The Art of War”

IMPLEMENTING SECURITY

5/4/2012

9

SECURING BUSINESS INFORMATION

Know Your “Self” Know Your “Enemy”

• Understand Business Objectives

• Align and Classify 

• Conduct Gap Assessment

• Implement controls

• What threatens your business objectives

• Who/What threatens you business assets

• Consequences

p

MANAGING RISKS

Align Business, IT 

Implement ControlsAdministrative

Logical

Physical

Monitor & Evaluate

Train/Educate/Awareness

5/4/2012

10

LAYERED DEFENSE

Host/Net

App

Policies Process

Perimeter

Physical

GuidelinesAwareness

I id

Communication Human Resource

Operations  Physical and 

System Acquisition, Development Maintenance

Business Continuity 

Management

ComplianceIncident 

Management

Security Policy

OrganizationOf

Information Security

Asset Management

Risk Management

ManagementHuman Resource

Management Environmental

5/4/2012

11

Security PolicyAsset 

Management

Preparation Eradication Recovery

IdentificationContainment

Lessons Learned

5/4/2012

12