infosec base concepts and governance

8/14/2019 Infosec Base Concepts and Governance

1/157

Information Security-

Base Concepts & Leadership

Jeromie Jackson- CISSP, CISMCOBIT & ITIL Certified

[email protected] [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


2/157

Brief Bio.

President- San Diego OWASP

Vice President- San Diego ISACA

CISSP Since 1996

CISM, COBIT, & ITIL Certified

SANS Mentor

Security Solutions Architect @ TIG

Articles

* Covered on Forbes Magazine* Credit Union Business Magazine* Credit Union Magazine* CU Times* Insurance & Technology Review* CMP Media* Storage Inc.

Speaking Events

* SPC 2009* SecureIT 2008* SecureIT 2009* Interop* Government Technology

Conference (GTC)* Many Credit Union Leagues


3/157

Agenda

IT Audit is not Enough

Network Security

Web Application Security

Countermeasures

Ignorance is Risk

Managing by Measurement


4/157

IT Assessment


5/157

IT Audit is not enough

Unclear Scope

New Vulnerabilities/Risks

Use of Lagging Indicators


6/157

Common IT Audit DeficienciesThird-Party agreements and contracts weak

Employee Awareness Training needed improvement

Too many privileged accounts

Inability to document user privileges

Log collection weak

Critical assets not clearly defined & documented

DR/BCP not regularly tested

Internal controls not routinely reviewed

Change management documentation & consistency lacking

ERP systems riddled with segregation issues

- Paul Proctor and Gartner Risk & Compliance Research Community, March 2007


7/157

Human Stupidity

Changing configurations

Installing rogue programs

Human Error (audits)


8/157


9/157

Conduct anIT Risk Assessment


10/157

Critical Assets

Critical assets provide services to enable thebusiness

May be external facing

May be a single machine or set of machines


11/157

Risk Management Frameworks &Functions

Frameworks NIST (SP800-30) Octave Octave Allegro Factor Analysis for Information Risk (FAIR)

Primary FunctionsCreate Value

Integral Organizational Process ContinualSystematic Focused on Continual Improvement

Account for People, Process, andTechnology


12/157

Octave Allegro

Great for a small group

Smaller in scope than other options

Can be conducted in waves (IE: IT/Business,etc.)


13/157

Containers

Describe where the information resides

May be a single system

May be a group of systems

Does not have to be electronic


14/157

Threats

Describe theactors upon whichvulnerabilities areexecuted causingrisk to theorganization

h


15/157

Threat Trees


16/157

Vulnerabilities

Issues which cause a system or process todeliver undesirable results

May impact Confidentiality Integrity Availability


17/157

Risks

The result of a threat agentacting upon a vulnerability

Vulnerability Exploitation Compromise of sensitive

data Manipulation of

funds/account data Denial of Service against

Internet-Facing Systems


18/157

Deliverables

Identification of CriticalAssets

Ranking of Assets

Portfolio view oforganizational risks


19/157

Network Security


20/157

TCP/IP

Transport Control Protocol / Internet ProtocolInternet is based on TCP/IP

Designed for unstable networks

IPV4 prominent with IPV6 growing

TCP, UDP, & ICMP are the primary types ofpackets


21/157

TCP

Connection-OrientedUsed when integrity or state is necessary

Maintains state

3-way handshake to initiate session

Significant overhead compared to UDP


22/157

TCP/IP/Packet


23/157

Telnet

Command-Line interface to operating systemCommonly used for

Networking equipment UNIX systems

SSH should be used instead


24/157

SSH

Encrypted version of TelnetEnables remote management through CLI

Preferred method of remote management

Should be used instead of Telnet


25/157

HTTP

Hyper Text Transfer ProtocolPieces of page come across

as unique TCP connections

(images, text, etc.)

Ok to be used across

network segments External to DMZ


26/157

HTTPS

Secure HTTPEncrypted with Secure Socket Layer (SSL)orTransport Layer Security

SSL inherently flawed based on use of MD5 forhashing

Application data is now an encrypted payload

May conduct server, and client, authenticationOk to be used across network boundaries

External to DMZ


27/157

SMTP

Simple Mail Transfer ProtocolOver port 25

Used for outbound mail

Notorious for security vulnerabilities

Ok to be exposed from Internet to DMZ


28/157

SMTP Relaying

Allows someone from one domain to relayinformation through another SMTP Server

A SMTP server should only allow outboundemail from the domains it serves


29/157

EXPN/VRFY

EXPN- Expand Address This attempts to expand the list of email addresses

from a mailing list.

VRFY- Verify Address Attempts to validate email addresses

Many systems will/should provide a genericresponse


30/157

POP

POP- Post Office ProtocolPort 110

Used to receive emails

Can use Apop which uses strong authentication

APOP or IMAP are preferred methods


31/157

Server Message Block (SMB)

This is the protocol associated with Microsoftfile-sharing, and network printer, and serialports (IE: for network-based modems)

Due to the complexity and bulkiness of thisprotocol it is recommend to not allow acrossbondaries whenever possible

This should not be allowed on any Internetconnections


32/157

Remote Desktop Protocol (RDP)

Windows Terminal ServicesNot recommended to use on the Internet

Instead use; VPN Citrix HTTPS

VMWare


33/157

R-Commands

Rsh- Remote ShellRlogin- Remote Login

Rcp- Remote Copy Etc.

R-Commands allow users to define accesscontrol rights

Exploited with + + in .rlogin ,etc.

R-Commands should not be used- SSH, etc.

instead


34/157

IP Security (IPSEC)

Used for VPNsCan run in two modes

Tunnel- TCP/IP header encrypted and a new src/dst

pair is added to the connection Transport- only payload is encrypted


35/157

Tunnel Vs. Transport


36/157

Voice Over IP (VOIP)

Allows for phone conversations across IPnetworks

Many security risks

Sniffing MAC Spoofing Application Vulnerabilities

Session Hijacking


37/157

File Transfer Protocol (FTP)

Preferable protocol used to transfer filesMay be used cross-boundaries into a DMZ

Historically many vulnerabilities I often find exposure here


38/157

Trivial File Transfer Protocol (TFTP)

Similar to FTP but less interactiveNot used very often

Can be used inbound into a DMZ


39/157

UDP Pros and Cons

Connection-Less protocolNo error correction or retransmission

Doesn't require sequence # or handshake MUCH easier to spoof

Only 1 way communicationNo sequencingNo 3-way handshake


40/157

Domain Name System (DNS)

Used to resolve IP's to hostnames and vs.versa

72.167.183.41 = jeromiejackson.com

jeromiejackson.com = 72.167.183.41Single queries use UDP port 53


41/157


42/157

DNS Zone Transfers

Zone transfers provide a copy of the nametable that is stored by the DNS server

Zone Transfers occur over TCP 53

Zone Transfers should only be available toupstream providers/peers


43/157

DNS Caching

When a client requests something to beresolved it will accept more information than

what it had inquired about

DNS Redirection & Spoofing Attacker spoofs reply with bogus data Attacker replies with correct data & corrupt data Attacker compromises DNS Server & uses it to

distribute additional bogus answers to queries

Simple Network Management


44/157

Simple Network ManagementProtocol (SNMP)

Can provide vast amounts of data aboutsystems

Based on Management Information Base

(MIB)sV3 is the only one with built in authentication,privacy, and access control

Internet Control Message Protocol


45/157

Internet Control Message Protocol(ICMP)

Use for various tasksPing (Echo Request/Reply)

Host Not Reachable

Network Unreachable

Redirects

Only allow across borders if required

Hij ki


46/157

HijackingTCP Hijacking

Man-In-The-Middle TCP Reset MAC Spoofing

UDP Race condition- Respond prior to legit request

ICMP ICMP Redirect through an infected

machine/network


47/157

BREAK- Next

Web Application Security


48/157


49/157

Tools Being Used

WebScarab Allows for HTML massaging Transcoder

Firefox Developer Tools

Form Editing Subvert client-side security settings


50/157

1- Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes

user supplied data and sends it to a webbrowser without first validating or encoding thecontent.

XSS allows attackers to execute script in thevictim's browser


51/157

Worry About EncodingsOriginal URL: www.comsecinc.com/contact.php

Base64

d3d3LmNvbXNlY2luYy5jb20vY29udGFjdC5waHA=URLEncoding

www.comsecinc.com%2Fcontact.php

Derivatives to further obscure intent

Spaces or content breaks within content

@im\port'\ja\vasc\ript:alert("XSS")';


52/157

Vulnerability

Hijack user sessions

Redirect to hostile locationWebsite Defacement

Possibly introduce worms


53/157

Protection

Utilize a standard input validation mechanism

Do not attempt black-list validationJava- Use Struts

.NET- Use Microsoft Anti-XSS Library

PHP- Use htmlentities() or htmlspecialchars()


54/157


55/157

2- Injection FlawsUser-Supplied data sent to an interpreter

SQL LDAP Xpath

XML, SOAP OS command injection


56/157

VulnerabilitySQL Injection

Create, Modify,Delete,View tables/databases

OS Command Injection Read/Modify/Delete/Create files Execute Processes with Privileges of application.


57/157


58/157


59/157

Vulnerability

Hostile File Uploads

Access to Sensitive DataReading confidential data


60/157

ProtectionUse a Known Good strategy

Sanitize User Input

PHP Disable allow_url_fopen and allow_url_include Disable Register Globals & E_Restrict

Java- Ensure Security Manager is enabled for isproperly configured

.NET- Leverage least privilege via Security manager


61/157

4- Insecure Direct Object Reference

A user's direct access to object references

IE: Filenames, & directories


62/157

Vulnerability

Hostile File Uploads

Access to Sensitive DataReading confidential data


63/157

Protection

Avoid exposing private object references

Indirectly reference objects Index files as opposed to utilizing their name


64/157

5- Cross-Site Request Forgery

A CSRF attack forces a logged-on victims

browser to send a request to a vulnerable webapplication, which then performs the chosenaction on behalf of the victim.

IE: Vulnerable Banking relationship, shoppingsite, etc.


65/157

Vulnerability

Can exploit the vulnerability on behalf of the

attacker.Submit bank transfer

Send credit card information

Automatically post information out to an Internetsite


66/157

ProtectionRe-Authenticate or use transaction signing to ensure that the request isgenuine.

Set up external mechanisms such as e-mail or phone contact in order to

verify requests or notify the user of the request.Do not use GET requests (URLs) for sensitive data or to perform valuetransactions.

Use only POST methods when processing sensitive data from the user.

POST alone is insufficient protection. You must also combine it with randomtokens, out of band authentication, or re-authentication to properly protectagainst CSRF

For ASP.NET, set ViewStateUserKey Provides a similar type of check to a random token as described above.


67/157

Vulnerability

Data in errors may be useful for social

engineeringMay disclose internal object references

Often discloses account names


68/157

ProtectionDisable or limit error handling

A common error handler is often useful Can send details out-of-band

Ensure development team shares a unified

approach


69/157

7- Broken Authentication & SessionManagement

Allows attacker to bypass the I&A ProcessOften introduced through ancillaryauthentication functions

Logout, password management, timeout, rememberme, secret question, and account update.


70/157

VulnerabilitySubversion of authentication within the

applicationPortions of application go unauthenticated


71/157

ProtectionOnly use the inbuilt session management mechanism.

Limit or rid your code of custom cookies for authenticationor session management

Use a single authentication mechanism

Do not allow the login process to start from an unencryptedpage.

Use a timeout periodCheck the old password when the user changes to a newpassword


72/157

8- Insecure Cryptographic StorageProtecting sensitive data with cryptography hasbecome a key part of most web applications.

Simply failing to encrypt sensitive data is very widespread.


73/157

VulnerabilityInappropriate information disclosure

Regulatory violation


74/157

ProtectionDo not create cryptographic algorithms.

Do not use weak algorithms, such as MD5 /SHA1.

Favor safer alternatives, such as SHA-256 or better.

Generate keys offline and store private keys

with extreme care.Ensure that encrypted data stored on disk is noteasy to decrypt.


75/157

9- Insecure CommunicationsApplications frequently fail to encrypt networktraffic when it is necessary to protect sensitive

communications.Encryption (usually SSL) must be used for allauthenticated connections.

In addition, encryption should be used whenever sensitive data is transmitted.


76/157

VulnerabilityInappropriate access to conversations

Any credentials or sensitive information transmitted.


77/157

ProtectionUse SSL for all connections that areauthenticated or transmitting sensitive or valuedata

Ensure that communications betweeninfrastructure elements are appropriatelyprotected.

Under PCI Data Security Standard requirement4, you must protect cardholder data in transit.


78/157


79/157

Vulnerability"Hidden" or "special" URLs, rendered to allusers if they know it exists

/admin/adduser.php or /approveTransfer.do.

Applications often allow access to "hidden"files, such as static XML or system generatedreports.


80/157

ProtectionEnsure the access control matrix is part of thebusiness, architecture, and design of theapplication

Perform a penetration test

Do not assume that users will be unaware ofspecial or hidden URLs or APIs.

Block access to all file types that yourapplication should never serve.


81/157


82/157

Implement Security in ProjectsThe earlier security is implemented the lowerthe cost of the project

Inception- Ensure plans meet security standards Development- Ensure it stays on track Implementation- Validate implemented

appropriately Operations- Monitor & Measure Disposal- Ensure proper asset disposal processes


83/157

Implement Standardized Processesfor Data Validation

Implement standard error handling processesto limit data exposure

Utilize standardized santization processes toensure consist quality protection


84/157

Properly Segment the EnvironmentsThree-Tier DMZ


85/157

Test All External-FacingApplications

Application test all applications accessible on

the InternetAssess all system which utilize restricted data

(Healthcare, Credit Cards, ACH Transfers, etc.)


86/157

Strength in NumbersJoin Local Associations

OWASP & ISACA

ComSec ServicesQualificationsOWASP SD Chapter President CISSP & CISM PractitionersBoard Members to ISACA ITIL & COBIT CertifiedNSS Labs Advisory Board 800+ Regulated Customers

Security Services

Virtual CISO Social EngineeringRisk Assessment Awareness TrainingSecurity Assessment Policy Development

Contact Information

Jeromie Jackson- CISSP/CISM

[email protected]

ComSec, Inc.

702-866-9412
mailto:[email protected]:[email protected]


87/157

Part 3Technical Countermeasures


88/157


89/157

Web Application Firewall (WAF)


90/157

Monitors and mitigates web-basedvulnerabilities

Some IDS/IPS Signatures may see

Some provide application profiling Imperva Breach Data Power

Antivirus/ Anti-Malware


91/157

Mostly signature based Identified files/processesWhitelisting becoming more prevalent

Should be deployed @ the desktop & at thegateway

Preferably two different engines/vendors


92/157

Authentication


93/157

3 factors of authentication Something you knowPINPassword

Something you haveSmart CardRFID CardDigital Certificate

Something you areBiometrics

Log Management


94/157

Logs are critical importance to auditors Centralized Monitored Escalated Consistent Secure

SIMs are a great way to correlate these

Access Control


95/157

Role-BasedUser-Based

Permissions (MAC & DAC)


96/157

Discretionary Access ControlUser's discretion

Found on most multi-user operating systems

(Read, Write, Execute / User, Group, Other)

Mandatory Access Control

- Objects are given labels Labels often hard-coded Specific access control provisions used (IE: Read

down, write equal)

User Provisioning


97/157

Often resource intensiveProne to error

Provisioning software generally not cost-effective for SMB space

Maximize the applications that are AD aware,and hopefully can leverage groups for accesscontrol

Symmetric Encryption


98/157

Asymmetric Encryption


99/157

Disk Encryption


100/157

Should be deployed on all remote devicesFull-Disk is preferable

Mitigates the significant threats of a devicebeing lost/stolen

Email Encryption


101/157

Email goes over unencrypted portsSome tools require end-user to encryptoutbound

Some can have policies based on destination

Can be Symmetric or Asymmetric

SIM/SIEM


102/157

Great way to reduce cost of securityConsolidate those logs- make them useful!

Pivoting is very functional (BI for Security)

Trigeo Arcsight NetIQ

Database Auditing


103/157

Some built-in Be careful of turning auditing on without tuningImperva has a Database play

Don't let developers directly connect to the SQL port(s)

Data Loss Prevention (DLP)

G t t i i ibilit i t i l


104/157

Great way to gain visibility into previouslyunidentified risk vectors

Remember Due Diligence & Due Care

Some can import databases

Some are agent based This is good for mobile computing!

Physical Countermeasures

I f ti S it ! T h i l S it


105/157

Information Security != Technical Security

Many attacks/breaches due to physical security weaknesses

ID Cards

Various Type


106/157

Various Type RFID Cards Smart Cards MAG Stripes


107/157

Smart Cards Pros/Cons

Pros


108/157

Pros Intelligent Built-in CPU

Cons More expensive Complexity generally adds risk

Mag Stripes

Pros


109/157

Pros Cheaper cards Cheaper Readers

Cons Exploitation costs lower

Administrative Controls

Policies Procedures and Standards mitigate


110/157

Policies, Procedures, and Standards mitigateend-user risk

Do not fall under the panacea that technologycomprehensively mitigates risk

Policies

Describe management expectations


111/157

Describe management expectations

Describe what is to be done

Should be aligned with high-level controlobjectives/intentions

Procedures

Describe the actions required to carry out


112/157

Describe the actions required to carry outpolicies

Describe the How to execute the policies


113/157

Dual Control

Two-Pieces of a key to open a door


114/157

Two Pieces of a key to open a door

Two people to execute a transaction

Additional signatures for processing

Audit

Policies, procedures, and standards not


115/157

Policies, procedures, and standards notbeneficial if not in use

Logs are required by auditors to ensurecontrols are consistently being implemented

Primary Concepts Least Privilege Segregation of Duty

Dual-Control Continual Repeatable

Least Privilege

Users should be given access only to resources


116/157

g ynecessary to carry out their job

Mitigates inappropriate disclosures

Enhances auditability

Should be used to help stakeholders defineaccess control requirements for an asset

OS HardeningLeast privilege


117/157

Only required services allowed Remove unnecessary services

Patching

Mitigate vulnerability affecting the environmentConsistency

Reduce Complexity

Limit types of vulnerabilities affecting theenvironment Minimize vulnerabilities present in the environment Stabilize a baseline

Racking & Stacking @ a 3 rd Party

How far up will they manage?


118/157

p y g Up to the rack?

OS & App threatsAbility to install countermeasures

Up to the OS?Can you deploy OS/Network Countermeasures?Patching strategies

What about non-Microsoft Applications? Up to the app?

AuditabilityLeast-Privilege


119/157

Ignorance is Risk


120/157

Manage by MeasurementThrough the Use of a Control

Framework

Security Risks & Exposures areGrowing

More than 35 million data records were


121/157

breached in 2008 in the United States-Theft Resource Center

Jan 20, 2009- Heartland Payment Systems-100 Million Transactions Per Month!http://www.2008breach.com/

252,276,206 records with personal informationsince January 1995 - www.privacyrights.org

Risk is a Business IssueIgnoring or misunderstanding financial risks played a
http://www.2008breach.com/http://www.privacyrights.org/http://www.privacyrights.org/http://www.2008breach.com/


122/157

substantial role in creating the world financial crisis in2008.

Organizations need to assess risk as part of cost-cuttingdecisions and should manage increased IT risks toprevent operation failures that will lead to further loss.

- Gartner, Managing IT Risks During Cost-Cutting Periods, October 22, 2008

Risk is a Business Issue (Cont.) CardSystems Solutions Inc.

Mid 2005 breach of 40 million credit cards.


123/157

Visa & Mastercard terminated their processing capability-they soon went under

35+ million data records were breached in 2008 in theUnited States-Theft Resource Center

Heartland Payment Systems

Jan 20, 2009

100 Million Transactions Per Month

http://www.2008breach.com 252,276,206 records with personal information since January

1995 -http://www.privacyrights.org

Risk Aware Risk Adverse


124/157

Risk Adversef

Risk Aware Vs. Risk AdverseRisk Aware


125/157

Avoids Discussions of RiskAvoids Responsibility for risks

No tracking or Analysis ofFeatures & Successes

Can't Learn From Mistakes; HighRepeat Failure Rates

Padded Budgets, Extended TimeLines, Surprise Overruns

Managers Assign Blame, Don't

Share the Risk

OK to Talk About RiskOk to Take Risks

Ok to Fail (if managing appropriately)

Success and failures tracked and

analyzedContinuous learning and improvementfor key processes

Realistic budgets and time lines that arecontinuously monitored

Enterprise is able to take on bigger risks2007 MIT Sloan Center for Information Systems Research & Gartner Inc.

Being Risk Aware Enables Agility & InnovationBeing Risk Aware Enables Agility & Innovation

Down Economy causing executivesto focus on profitability


126/157

3 ways to improveprofitability

Increase top-line sales Reduce COGS Optimize Operations

Optimize IT Bridge the gap between control

h l d


127/157

requirements, technical issues, andbusiness risk Use a portfolio approach to risk

management Manage by measurement Enable your organization to reap

maximum benefit from technologyinvestments

Regulation With Minimal Benefit


128/157

RedundantRequirements

Controls without clearbenefits

Overlappingand vague

requirementsCostly resourceallocation

Regulations


129/157

Increasing complexity

Resource intensive

Divert focus on maturing risk management

RegulatoryConvergenceOptimizeRemediation

Assert

C li


130/157

ComplianceSimultaneously

IT & Business Alignment- Are we communicating?


131/157

Agile CompetitiveAdvantage

Prudent

Implications


132/157

IT is meant toserve the business

IT must be aligned with businessgoals

IT is costly and

requires prudentmanagement

Become Proactive

Instill best-practice governance


133/157

Utilize a risk-management portfolio to guideremediation

Consolidate Regulations


134/157

Managing by Measurement

Leading the Trauma Unit


135/157

The Root Cause of

50 Case Studies130 Firms Surveyed2000+ Executives Refined


136/157

Governance- Specifying the decision rights andaccountability framework to encouragedesirable behavior in using IT.

- Peter Weill and Jeanne Ross, IT Governance: How Top Performers Manage IT Decisions Rights for Superior Results(Boston: Harvard Business School Press, 2004)

The Root-Cause of IT Risk -Lack of Governance

George Westerman & Richard Hunter, IT Risk; Turing Business Threats Into Competitive Advantage(Harvard Business School Press, 2007)

..Manifested as uncontrolled complexity, and inattention to risk.


137/157

Improve Risk Management


138/157

Risk ManagementProcess

Identify critical assets Define containers Identify risks & threats Quantify or qualify risks

Prioritize RemediationEfforts

Stop The Bleeding -Cauterize the Wounds

Identify & Collect Known Risks

Create a Remediation Portfolio


139/157

Create a Remediation Portfolio

Document the As-Is State

Stabilize the PatientClassify Known Risks

External Audits

Internal Audits


140/157

Internal Audits

Regulatory Audits

Vulnerability Assessments

Risk Assessments

Address AvailabilityFocus on Business Consequence

Consolidate Regulations

Identify Primary ControlsConfidentialityConfidentiality Integrity


141/157

AvailabilityAvailability AuditabilityAvailability Performance Measurement

Have a clear architectural direction /To-Be state

Conduct an IT


142/157

Assessment to identifyAs-Is State

Through planning

identify core strategiesand architecture

Manage byMeasurement

Seek Optimal Treatment Plan

Benefits of utilizingbest practices


143/157

best practices Enables external

expertise

Facilitatesbenchmarking Auditor familiarity

resulting in reducedcosts

Best Practice Control Objectives


144/157

Components of Controls

Defines a specific goal

Aligns with business objectives


145/157

Aligns with business objectives

Describes the focus required to manage

Summarizes how the goal will be achieved

Defines potential KPIs/KGIs

RACI Table

Communicate & Collaborate


146/157

Paradigms- 7 Habits of Highly Effective People- A man on a subway sees 2obnoxious children...

The sum is greater than theindividual pieces


147/157

Balanced Scorecards

Focus on 4 key paradigms Financial- Fiscal Measurements


148/157

Customer- Service Qualities Operations- Operational Efficiency & Agility

Learning & Growth- Fostering Growth & Innovation

Provides measurements based on key

customers being serviced

Balanced Scorecards


149/157

Strategy MapsDescribe the To-Be state graphically


150/157

Facilitate collaborationMinimize jargon

Collaborate


151/157

Leading & Lagging Indicators

Leading indicators Sales Targets


152/157

# of site visitors expected this year

Lagging indicators $ Closed Deals last month Visitors last year Amount a specific product has generated thus far

KPIs & KGIsA Key Goal Indicator, representing the process goal, is a measure of "what"has to be accomplished. It is a measurable indicator of the processachieving its goals, often defined as a target to achieve.

R i P fi bl


153/157

Remain Profitable Take over 15% market share in a territory

By comparison, a Key Performance Indicator is a measure of "how well" theprocess is performing.

% of Bench time for engineers - Riding the Pine # of opportunities in the pipeline


154/157

Prudent Management is not just forthe enterprise anymore

Governance has been slowly adopted in theSMB space


155/157

Perceived as an enterprise play ROI/CBA/NPV communication muddled with jargon

Talk to your audience- don't belaboracronyms and frameworks.

Focus on sound stewardshipprincipals.


156/157

Questions?


157/157

Jeromie Jackson- CISSP, [email protected]

619-368-7353-direct www.linkedin.com/in/securityassessment

infosec base concepts and governance

Documents