meeting the information security management challenge in ... · nist cybersecurity framework 1.0,...
TRANSCRIPT
![Page 1: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/1.jpg)
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President
Citadel Information Group
July 2016
![Page 2: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/2.jpg)
2
The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions
and understand the answers.
Major Gen Brett Williams, U.S. Air Force (Ret)This Week with George Stephanopoulos, December 2014
![Page 3: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/3.jpg)
Online Fraud: Business Email Compromise Deceives Controller
3
From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PMTo: Bill Hopkins, Controller Subject: Change of Bank Account
Hi Bill – Just an alert to let you know we’ve changed banks.
Please use the following from now on in wiring our payments.
RTN: 123456789 Account: 0010254742631
I’m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter.
Great thanks.
Cheers - Stan_________________________The secret of success is honesty and fair-dealing. If you can fake that, you’ve got it made ... Groucho Marx
![Page 4: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/4.jpg)
![Page 5: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/5.jpg)
Company Loses $46 Million to Online Fraud
5
![Page 6: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/6.jpg)
FBI Reports $2.3 Billion Lost to Business Email Compromise. LA: $14M / Month
![Page 7: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/7.jpg)
Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions
7
Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers
![Page 8: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/8.jpg)
Epidemic of Credit Card Theft … Medical Records Theft … Personnel Records Theft
8
![Page 9: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/9.jpg)
Data Breach Costs Expensive.Money Down the Drain.
Approximately $150 Per Compromised Record
$15 Million Per Event
Investigative Costs
Breach Disclosure Costs
Legal Fees
Identity Theft Monitoring
Lawsuits Customers
Shareholders
http://www.ponemon.org/index.php
9
![Page 10: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/10.jpg)
Competitor Steals Information. Bankrupts Company.
10
![Page 11: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/11.jpg)
Intellectual Property Theft —Economic Death by a Thousand Cuts
11
![Page 12: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/12.jpg)
Disgruntled Employees Sabotage Systems, Steal Information and Extort Money
12
![Page 13: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/13.jpg)
Organizations Attacked for Political and Social Reasons
13
![Page 14: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/14.jpg)
The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity
Customer Information
Credit Cards and PCI Compliance
HIPAA Security Rule
Breach Disclosure Laws
On-Line Bank Fraud & Embezzlement
Theft of Trade Secrets & Other Intellectual Property
Critical Information Made Unavailable
Systems Used for Illegal Purposes
14
![Page 15: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/15.jpg)
Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations
30% of victims have fewer than 250 employees
60% of small-business victims are out of business within 6 months
80% of breaches preventable with basic security
15
![Page 16: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/16.jpg)
Managing Information Risk — Four Key Questions
1. How serious is cybercrime and why should my organization care?
2. How vulnerable are we, really?
3. What do we need to do?
4. How do we do it?
16
![Page 17: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/17.jpg)
What the want
Who they are
How they work
The Cyber Underground17
![Page 18: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/18.jpg)
http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/
The Value of a Hacked Company
![Page 19: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/19.jpg)
John Mallery, Computer Science & Artificial Intelligence Laboratory, 2011http://www.slideshare.net/zsmav/models-of-escalation-and-deescalation-in-cyber-conflict
![Page 20: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/20.jpg)
https://securityintelligence.com/who-hacked-sony-new-report-raises-more-questions-about-scandalous-breach/
RAT: Remote Access Trojan
![Page 21: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/21.jpg)
http://searchsecurity.techtarget.com/feature/Targeted-Cyber-Attacks
![Page 22: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/22.jpg)
The thriving malware industry: Cybercrime made easy, IBM Software,
https://securityintelligence.com/wp-content/uploads/2015/06/Cybercrime-
Ecosystem-Infographic-Final.jpg
![Page 23: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/23.jpg)
Internet not designed to be secure
Computer technology is riddled with security holes
We humans are also imperfect
Why Are We so Vulnerable? Three Inconvenient Truths
23
![Page 24: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/24.jpg)
Cyber Security Need vs. Reality24
![Page 25: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/25.jpg)
http://www.citibank.
com.us.welcome.c.tr
ack.bridge.metrics.po
rtal.jps.signon.online.
sessionid.ssl.secure.
gkkvnxs62qufdtl83ldz
.udaql9ime4bn1siact
3f.uwu2e4phxrm31jy
mlgaz.9rjfkbl26xnjskx
ltu5o.aq7tr61oy0cmbi
0snacj.4yqvgfy5geuu
xeefcoe7.paroquian
sdores.org/
Phishing: Users Unwittingly Open the Door to Cybercrime
25
![Page 26: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/26.jpg)
Vendors an Increasing Information Security Risk
26
![Page 27: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/27.jpg)
Visiting a Website Can Expose You to Cyberattack
27
![Page 28: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/28.jpg)
Clicking an Ad Can Expose You to Cyberattack
28
![Page 29: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/29.jpg)
Cyberattacks Succeed Because ofFlaws — Vulnerabilities — in Programs
29
![Page 30: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/30.jpg)
Technology Solutions Are Inadequate to Challenge
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
30
![Page 31: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/31.jpg)
Management Too Often Fails to Set Security Standards for IT Network
Senior Management
IT Head
That’s great
Bob. We’re all
counting on
you.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
Yes sir.
Everything’s
fine.
Hi Bob.
Things
good?
I appreciate
that sir.
![Page 32: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/32.jpg)
Management Too Often Fails to Properly Fund IT Network Security
32
Senior Management
IT Head
I understand.
But you know
how tight
budgets are.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
We need a
BYOD
Solution.
Hi Bob.
Things
good?
I do. Yes sir.
![Page 33: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/33.jpg)
We Make It Way Too Easy: 80% of Breaches are “Low Difficulty”
Inadequate training of people
Inadequate security management of IT networks
Inadequate involvement by senior management
33
Verizon 2015 Data Breach Investigations Report:
http://www.verizonenterprise.com/DBIR/
![Page 34: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/34.jpg)
Securing Your Organization34
Distrust and caution are the parents of security.
Benjamin Franklin
![Page 35: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/35.jpg)
The Objective of Information Security Management is to Manage Information Risk
Cyber Fraud
Information Theft
Ransomware
Denial of Service Attack
Regulatory / Compliance
Disaster
Loss of Money … Brand Value … Competitive Advantage
![Page 36: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/36.jpg)
The Four Elements of Information Risk
Confidentiality … Assuring information is only accessible to those authorized to use it
Integrity … Assuring that information is changed in accordance with authorized procedures by authorized people
Availability … Assuring that information and systems are available to users when they need it
Authenticity … Assuring that a received message is really from the purported sender
36
![Page 37: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/37.jpg)
The Information Security Management Chain
37
Identify Detect Respond RecoverProtect
Continuous Security Management Improvement
Risk Transfer and Insurance
Legal and Regulatory Framework
Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 20142. International Standards Organization 27001:2013: Information technology— Security techniques —
Information security management systems — Requirements3. Porter Value Chain: Understanding How Value is Created Within Organizations
![Page 38: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/38.jpg)
Don’t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework
Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical / Environmental Security
Operations Security
Communications Security
System Acquisition, Development & Maintenance
Supplier Relationships
Information Security Incident Management
Information Security Aspects of Business Continuity Management
Compliance
38
![Page 39: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/39.jpg)
Manage Information Security Like Everything Else. Establish Leadership.
39
An organization's ability to learn, and translate
that learning into action rapidly, is the ultimate
competitive advantage.
Jack Welch
![Page 40: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/40.jpg)
Take Specific Action to Protect Against Online Financial Fraud
Implement Internal Controls Over Payee Change Requests
Assume all email or fax requests from vendors or company President are fraudulent
Use Out-of-Band Confirmation
Use Dedicated On-Line Banking Workstation
Keep Patched
Use Only for On-Line Banking
Work with Bank
Dual Control
Out-Of-Band Confirmation
Strong Controls on Wires
40
See our blog:https://citadel-information.com/2016/02/business-e-mail-compromise-dont-be-a-victim/
![Page 41: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/41.jpg)
Know What Information Needs To Be Protected and Where It Is
41
Online Banking CredentialsCredit cardsEmployee Health InformationSalariesTrade SecretsIntellectual PropertyCustomer Information
ServersDesktopsCloudHome PCsBYOD devices
![Page 42: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/42.jpg)
Implement Written Information Security Management Policies and Standards
42
![Page 43: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/43.jpg)
Train Staff to Be Mindful. Provide Phishing Defense Training.
43
![Page 44: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/44.jpg)
Provide Information Security Education. Change Culture.
44
If you do not know your enemies nor yourself, you will be imperiled in every single battle.
![Page 45: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/45.jpg)
Ensure IT has Aggressive Vulnerability and Patch Management Program.
45
Verizon 2016 Breach Report: The Vast Majority of Breaches Exploit
Vulnerabilities for Which Upgrades Have Been Available for Well-Over a Year
![Page 46: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/46.jpg)
Require Vendors to Meet Security Management Standards
Security Management included in Service Level Agreements
Comply with Information Security Standards
Business Associate Agreements (HIPAA)
Information Security Continuing Education
46
![Page 47: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/47.jpg)
Make Sure Critical Information Available in Disaster or Ransomware Attack
47
Trust … But Verify.
![Page 48: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/48.jpg)
Be Prepared: It’s Not “If” But “When”48
In preparing for battle I have always found that plans are useless, but planning is indispensable.
General Dwight Eisenhower
Failing to Plan is Planning to Fail
![Page 49: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/49.jpg)
Getting Started: Implement Basics. Assess IT Security. Develop Strategy.
49
Put Someone in Charge
Review IT Network
Management Compliance with
Security Standards
Conduct IT Network
Vulnerability Scan
Establish Policies & Standards
Train Staff
Develop Strategy
![Page 50: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/50.jpg)
Create Steering Committee to Manage Ongoing Information Security
50
Leadership & Organizational Improvements
Security Management of IT Network
Security Improvements to IT Network
Improve constantly and forever the system of
production and service, to improve quality and
productivity, and thus constantly decrease costs
W. Edwards Deming 14 Key Principles for Improving
Organizational Effectiveness
![Page 51: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/51.jpg)
Organize Information Security Management Learning Group
51
![Page 52: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/52.jpg)
Summary: Manage Security of Information as Rigorously as Operations & Finance
Implement Formal Information Security Management System1. Information Security Manager / Chief Information Security Officer
a. C-Suite and Board Governanceb. Independent Perspective from CIO or Technology Directorc. Supported by Cross-Functional Leadership Teamd. Supported with Subject-Matter Expertise
2. Implement Formal Risk-Driven Information Security Policies and Standards
3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture.5. Manage Vendor Security6. Manage IT Infrastructure from “information security point of view”7. Be prepared. Incident Response and Business Continuity Planning.
52
![Page 53: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/53.jpg)
Information Security is Proactively Managed
Information Security Standard of Care
Total Cost of Information Security SM
Information Security Proactively Managed
Commercially Reasonable Information Security Practices
Lower Total Cost of Information Security SM
![Page 54: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/54.jpg)
Citadel Information Group: Who We Are
54
Stan Stahl, Ph.DCo-Founder & President
35+ Years ExperienceReagan White House
Nuclear Missile Control
Kimberly Pease, CISSP
Co-Founder & VP
Former CIO15+ Years Information
Security Experience
David Lam, CISSP, CPPVP Technology
Management Services
Former CIO20+ Years Information
Security Experience
![Page 55: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/55.jpg)
Citadel Information Group: What We Do55
Deliver Information Peace of Mind SM
to Business and the Not-for-Profit Community
Cyber Security Management Services
Information Security Leadership
Information Security Management Consulting & Coaching
Assessments & Reviews … Executive Management …Technical Management
Secure Network Engineering … Secure Software Engineering
Incident Response / Business Continuity Planning
Adverse Termination
![Page 56: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/56.jpg)
For More Information
Stan Stahl [email protected] 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.comInformation Security Resource Library
Free: Cyber Security News of the WeekFree: Weekend Vulnerability and Patch Report
56
![Page 57: Meeting the Information Security Management Challenge in ... · NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014 2. International Standards Organization](https://reader033.vdocuments.mx/reader033/viewer/2022042220/5ec6d54109990505ae237385/html5/thumbnails/57.jpg)
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President
Citadel Information Group