Practical IT Research that Drives Measurable Results Build Security Architecture & Roadmap Implementation 1Info-Tech Research Group.

Slides:



Advertisements
Similar presentations
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Advertisements

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Security Controls – What Works
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
ISO 9001 Interpretation : Exclusions
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
DEFINING JOB PERFORMANCE AND ITS RELATIONSHIP TO ASSESSMENTS.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Sai-innovations.com. Why we care about IA Review of Information Management statistics published by Gartner shows  Information is doubling every 2 years.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Security Policies Jim Stracka The Problem Today.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Slide 1 D2.TCS.CL5.04. Subject Elements This unit comprises five Elements: 1.Define the need for tourism product research 2.Develop the research to be.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
DISCOVER IT PEACE OF MIND Staying HIPAA-Compliant Revised: April 13, 2015.
Chapter 6 of the Executive Guide manual Technology.
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
DRAFT – For Discussion Only HHSC IT Governance Executive Briefing Materials DRAFT April 2013.
Auditing Information Systems (AIS)
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Systems Analysis and Design in a Changing World, Thursday, Feb 1.
IT 499 Bachelor Capstone Week 4. Adgenda Administrative Review UNIT Four UNIT Five Project UNIT Six Preview Project Status Summary.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Module 11: Designing Security for Network Perimeters.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
Communicating Marketing Research Findings
Can you conduct DSE risk assessments for under £10 each? ADVISA can! ADVISA makes DSE risk assessments quick & affordable, at a fraction of the cost of.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
IS3220 Information Technology Infrastructure Security
BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.
Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Impact Research 1 Deploying Wireless LANs for Business Benefit Summary Document.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
CMGT 400 Entire Course CMGT 400 Week 1 DQ 1  CMGT 400 Week 1 Individual Assignment Risky Situation  CMGT 400 Week 1 Team Assignment Kudler Fine Foods.
Moving to BYOD Gary Audin 1.
SEC 310 Entire Course For more classes visit SEC 310 Week 1 Goals and Objectives For a Security Organization Paper SEC 310 Week 1.
For more course tutorials visit
For More Best A+ Tutorials CMGT 400 Entire Courses (UOP Course) CMGT 400 Week 1 DQ 1 (UOP Course)  CMGT 400 Week 1 Individual Assignments.
Practical IT Research that Drives Measurable Results Build Security Architecture & Roadmap Implementation.
Build an Enterprise IT Security Training Program
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
Presentation transcript:

Practical IT Research that Drives Measurable Results Build Security Architecture & Roadmap Implementation 1Info-Tech Research Group

Executive Summary Info-Tech Research Group2 IT Security Planning is costly and time consuming. Using the Secure Network Design and Roadmap tool is a cost free and quick way to create your organization’s ideal network design and tool implementation roadmap. Involve the business side in IT Security Planning, it is not only an IT Exercise. Involving the business results in: Better business buy in. Easier cost validation for new security tools. More insight into future business directions. Businesses do not require every security tool. Proper planning prevents organizations from boiling the ocean and allows them to focus on the tools their organization require. When it comes to tool implementations, timing matters; planning and roadmapping ensure that tools are implemented in the order that is most appropriate and most secure for the organization.

Info-Tech Research Group3 Security Plans save money and improve enterprise security Improve Organizational Security 55% of organizations that used security plans said that they deployed their security tools in the most secure order. The IT Security Planning exercise encourages organizations to take all aspects of the organization into consideration in order to create a security plan that best meets their needs. Save Money 45% of organizations that used security plans said that they would not have saved more money had they deployed tools in a different order. Shift Business Perceptions on IT Security and Spending The planning process involves the business side of the organization. Keeping the business in the loop will improve the perception of IT and will help shift the perception of IT from a cost center to a vital part of the organization.

Info-Tech Research Group4 Planning and Requirements Gathering not a one step process; involves multiple inputs to create a plan that works The following four areas are key areas of consideration when in the planning and requirements gathering phase: Risk Assessment Business Requirements Incident Response Regulatory Pressure Organizations will not have to focus on each of these areas equally, find the balance that is right for the organization’s particular needs. Consider each of the following areas when creating your security plan. Different areas will be more relevant to your organization than others.

2010 research shows that organizations with formal security plans feel more secure Info-Tech Research Group5 Info-Tech research shows that organizations that 91% of organizations that had performed formal security planning also had formal policies in place. Without proper plans and policies in place, organizations are vulnerable as they do not have mechanisms in place to deal with security issues. If there is a security breech or loss of data and an organization does not have established rules in place, they can loose precious time while trying to figure out what to do. In this situation, the organization may also be legally implicated and can be liable for any losses or complications. Companies with security documentation have the satisfaction of knowing that their IT security is appropriately scoped and designed. Also, they will generally have mechanisms in place to vet and update the plan regularly, ensuring the highest level of security possible. N=35 Organizations with formal security plans are 4.5 times more likely to feel secure than organizations with no plans in place.

Deployments gone wrong; the problems of not using a formal Security Plan Info-Tech Research Group6 Security Gaps Informal, ad-hoc security planning results in security gaps as the organization fails to implement the right tools in the right order to maximize security. Example: An organization that had recently purchased a Unified Threat Management solution that included gateway anti-malware protection decided that endpoint anti-malware was no longer necessary. When one of their remote employees who had been disconnected from the network connected to it with his infected laptop, a virus ran rampant through the network since the endpoints were all unprotected. With proper planning the organization would have considered the risks that remote workers presented and would be required to take the necessary steps to mitigate these. Not Meeting Business Requirements Neglecting to formally establish what the business’ security requirements are can result in failing to appropriately serve and protect the business. This can be costly in the long run. Example: A sales organization that had plans to move to online sales never conveyed this to IT and IT never asked what the business’ plans were as they never went through the IT Security Planning process. The organization’s Security Network Architecture supported the “old” requirements but not the new direction. When the new direction was communicated, IT was unprepared to support the needs of the company. In the end IT needed to delay the business’ move to online sales while they changed the gateway security infrastructure. Inappropriate Tools in Place Info-Tech research shows that companies with no formal IT Security Plan in place show significant randomness in the tools they choose and the order in which these are implemented. Example: A financial organization that needs to meet specific compliance requirements purchased Content Filtering and Data Leakage Protection systems after implementing baseline tools when they should have implemented a Management System next to monitor all of the tools they already had in place. The high cost of the Management System caused them to look for cheaper tools first. This misalignment resulted in the organization failing to provide conclusive reporting for security auditing purposes.

Info-Tech Research Group7 Create your ideal Security Network Architecture using Info-Tech’s Security Architecture & Roadmap tool The Business Requirements Questionnaire tab of the tool takes answers to five questions that will gauge how each of the factors discussed previously affects your organization. Based on these responses, the organization’s ideal security architecture is presented on the next tab of the tool along with an explanation of why the different components are required. There is an example of a network diagram on the following slide for a company in the Financial Services industry. The Security Network Architecture and Roadmap Planning Tool will accomplish two things: 1. Create the organization’s ideal security architecture. 2. Create the organization’s ideal security tool deployment roadmap.

Security Planning is not a wasted exercise; companies with plans implement tools in secure orders that keep costs low Info-Tech Research Group8 Takeaways: 55% of organizations with plans in place felt that their security would not have improved if they had deployed their tools in a different order. Security planning leads organizations to deploy their IT Security tools in the best order to support enterprise security requirements. N= 33 Would Security improve if tools deployed differently? Takeaways: Only 6% of organizations with plans in place felt that they would have saved money if they had deployed their tools in a different order. Security planning pays off; organizations without Plans felt that they could have saved money had they implemented in a different order. Would money be saved if tools deployed differently? N= 33

Choose between compliance and security; each has a different affect on the order in which tools are implemented Info-Tech Research Group9 Baseline tools remain the same as they are required by all companies regardless of size, requirements, or priorities. Implementation order required to make an organization more secure or more compliant are very different. Ensure the organization picks the right factor to focus on. Be sure to validate this decision with the business side. For many organizations this is an easy decision but for companies that are in heavily regulated industries and have a strong requirement for having the most secure environment possible, this decision becomes more complicated. Compliance Security The Importance of Security and Compliance in Organizations

Info-Tech Research Group10 Determine your ideal deployment roadmap using Info-Tech’s Security Network Architecture & Roadmap tool The Roadmap Input Page determines which tools suggested are in place and ranks compliance, cost and security factors. This information determines tool implementation order, which is presented in a step by step format. Some of the information included in each step will be: Tool purpose How the tool works Relative cost of the tool Approximate time to implement Implementation skill required There is an example of a roadmap on the following slide for a company in the Financial Services industry. The Security Network Architecture and Roadmap Planning Tool will accomplish two things: 1. Create the organization’s ideal security architecture. 2. Create the organization’s ideal security tool deployment roadmap.

Appendix I Description of security solutions Info-Tech Research Group11 Info-Tech’s standardized security architectures use up to fifteen different security solutions: Gateway firewalls Dual gateway firewalls Internal firewalls Gateway anti-malware Endpoint anti-malware Dual Internet connections Segmented networks Tiered networks Virtual Private Networks (VPN) Intrusion detection & prevention Content filtering Data Leakage Protection (DLP) Network Access Control (NAC) Endpoint encryption Enhanced authentication Security management technologies The following slides describe these tools. Each slide shows a sample security architecture diagram and highlights the position of the tool in question in that diagram. The slides also indicate the relative (low, moderate, high) cost, time and skill requirements for each tool. Low cost indicates something that should be affordable by most enterprises while high cost may be affordable only by larger enterprises. Low time indicates a deployment on the order of days to weeks while high time indicates deployment on the order of months to years. Low skill indicates a deployment that requires no specialized expertise while high skill indicates a deployment that requires significant expertise.

Appendix I-n Enhanced Authentication Info-Tech Research Group12 Enhanced Authentication is necessary when passwords are not sufficient to protect an organization's systems. Enhanced Authentication uses multiple factors of authentication (something you know, something you have, something you are) to establish a greater level of confidence that authenticated users are who they claim to be. Uses additional factors of authentication to positively identify users. Additional factors include second factor (something you have) and third factor (something you are). Cost:Moderate to High Time:Moderate to High Skill:Moderate to High

Appendix II Methodology Info-Tech Research Group13 This solution set used data collected from a survey conducted in April 2010 on the topics of Security Policy development, deployment and enforcement. 117 responses were received.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.