How To Work With A Partner In Order To Meet Your Security Needs

1
How To Work With A Partner In Order To Meet Your
Security Needs
Mark Nagiel Manager, Security Consulting
2
Not Part Of This Presentation

• Scary Numbers!
• Doom and Gloom!
• Sales Pitch!

3
Security Concept 1
Security is a process
4
Security Concept 2
Robust information security programs are

• Multi-dimensional
• Comprehensive
• Policy-centric
• Holistic

5
The Holistic Model
Policy Development
Countermeasure Engineering Security Awareness
Security Monitoring Incident Response
Vulnerability Assessment Policy Enhancement
6
Security Concept 3
Think beyond security think risk management
7
Why Do We Need Security Partners?

• Security is rarely a core IT organization
  competency
• IT organizations are primarily focused on
  availability
• New threats emerge on a daily basis
• Industry regulatory compliance
• Insurance coverage requires independent audits
• Security can be like performing brain surgery

8
The Perfect Partner Relationship
9
Partner Selection Framework
Business Knowledge
Industry Experience
PERFECT PARTNER
Solution Delivery Methodology
10
Security Partnership Fundamentals

• A security partner should be treated as an
  extension
• of the organization.
• Limit use of security partners to as few as
• possible.
• Security partners should include knowledge
  transfer
• as part of any engagement or service.
• Partners must clearly quantify security related
  ROI.

11
Security Partner Selection Criteria

• Potential partner must
• - Understand the organizational business model
• - Understand how security will serve as a
  business enabler
• - Understand client risk tolerance
• - Understand business specific threat
• - Understand industry-specific regulations
  (HIPAA, GLB)
• - Provide heterogeneous solutions
• - Adhere to industry Best Practices
  (ISO17799/BS7799)
• - Be a trusted entity
• - Have appropriate security industry
  experience.
• Beware of product specialists!

12
Legal / Financial Obligations
When Selecting - Dont Forget

• CEOs of public corporations are legally
  obligated
• to protect corporate data assets (due
  diligence).
• Bad business decisions include bad decisions
• related to information security.
• Shareholders can and will exercise their need to
• recover any loss due to negligence.
• CEOs of certain organizations are subject to
• regulatory compliance.
• Empowered and trusted employees must be
• viewed based on human factors.

13
Client Responsibilities

• Client must share current risk management
  philosophy w/
• partner
• Client must share desired levels of risk
  management
• Client must share BIA data if it exists
• Client must provide access to key individuals
  (CEO,
• CIO, HR, Risk Management, Physical Security
  or as
• appropriate..)
• Client must provide access to all pertinent
  technical and
• non-technical data/information
• Client must detail expected deliverables
• Client must detail quality of deliverables
• Client must detail engagement schedule

14
Security Partner Responsibilities

• Partner must..

• Understand overall risk management goals
• Understand risk tolerance levels
• Provide solutions that can be leveraged in the
  future
• Provide a heterogeneous strategy
• Consider organizational limitations
• - Technology
• - Process
• - Skills
• - Legacy Dependencies
• - Financial Constraints

15
Partner Engagement Goals

• Security partnership must result in
• - Enhanced integrity in the business model
• - Enhanced control over client data and
  information
• - Enhanced incident survivability
• - Enhanced non-disclosure of business-critical
  information
• - Enhanced application of key security
  pillars

16
Applied Technology Security
APPLICATION LEVEL
SYSTEM LEVEL
NETWORK LEVEL
17
Applied Process Security
INTELLECTUAL
SOCIAL
PHYSICAL
18
Engagement Considerations
SECURITY AWARENESS
VIRUS PROTECTION
ACCESS CONTROL
SECURITY AUDITING
INTRUSION DETECTION/ PREVENTION
PHYSICAL DATA PROTECTION
INSURANCECOVERAGE
ENCRYPT- ION
POLICIES And PROCEDURES
Risk Management Fundamentals
19
Partner Success Map
Client Input
Partner Input
What is our acceptable level of risk?
What solutions and expertise can we offer?
Security / Partnership Roadmap
Do the proposed solution meet our risk management
and financial requirements?
Successful Partnership
Will the partnership insure the achievement of
acceptable levels of risk?
20
What Happens When Things Go Wrong
21
Open Shares
22
Back Door Entry
E-Mail Server
23
Application Security
Firewall
Nuclear Facility Network
Server Running Random Employee Drug Testing
Software
24
Application Security
Firewall
Nuclear Facility Network
Server Running Random Employee Drug Testing
Software
TESTED
TESTED
TESTED
TESTED
TESTED
25
Q A