Bridging the Gap Operations and Security

Slides:



Advertisements
Similar presentations
Security for Mobile Devices
Advertisements

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
© Pearson Prentice Hall 2009
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Problem Management Overview
Chapter 7 Database Auditing Models
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Blueberry Software IT Security Audit Results. Results: Good.
1 ISA&D7‏/8‏/ ISA&D7‏/8‏/2013 The Analysis Phase System Requirements Models and Modelling of requirements Stakeholders as a source of requirements.
ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.
Systems Analysis and Design
Why Governance? SOA Governance allows to n Master complexity of IT n Support business process change.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.
Cloud Computing Use Case Draft v2.
Systems Analysis & Design AUTHOR: PROFESSOR SUSAN FUSCHETTO 10/24/
Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007.
John Weigelt, MEng, PEng, CISSP, CISM National Technology Officer Microsoft Canada November 2005 Fighting Fraud Through Data Governance.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Info-Tech Research Group1 V3.1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
How to survive an audit. Gib – President MDLUG.org Audit tips. What to document. 1. Clarify goals 2. Review / Understand Policies 3. Write Documents Describing.
4 Chapter 4: Beginning the Analysis: Investigating System Requirements Systems Analysis and Design in a Changing World, 3 rd Edition.
OIT Security Operations
BruinTech Vendor Meet & Greet December 3, 2015
Joseph Salameh – Consultant
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Information Systems Development
BYOD: Short-term Gain Without Long-term Pain?
Putting It All Together
Putting It All Together
| How To Fix Outlook Error 18?
Description of Revision
Transforming IT Management
I have many checklists: how do I get started with cyber security?
Information Security Services CIO Council Update
Making Information Security Manageable with GRC
ITIL: Why Your IT Organization Should Care Service Support
Making Information Security Actionable with GRC
ITIL: Why Your IT Organization Should Care Service Support
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Chapter 13: Systems Analysis and Design
Systems Analysis and Design
The Role of the Information Security Officer Getting It Right
Drew Hunt Network Security Analyst Valley Medical Center
ITIL: Why Your IT Organization Should Care Service Support
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
5 Steps to get funding for IT Security
Simple SIEMan met a WMIman
16. Account Monitoring and Control
Software Reviews.
{Project Name} Organizational Chart, Roles and Responsibilities
UDTSecure TM.
Basic Systems Management Employing Security Policies
Presentation transcript:

Bridging the Gap Operations and Security

Craig Bowser 15+ years in InfoSec Security Analyst, SOC Manager, Information Security Manager, Security Engineer, All Things SIEM GSEC GCED CISSP Christian, Father, Husband, Geek, Scout Leader who also does some woodworking To Do List > To Do Open Slots

Ideally….

Commonly…

At best…

So what are the causes? 3 Foundational issues 3 Technical issues 3 Additional tips

FUNDAMENTAL ISSUES

Issue #1 - Bad Staff Structure Does each group report to a different CXO?

CEO CIO CSO VP IT VP Sec Dir OP Dir Sec IT Security IT Manager Sec Manager IT Security

Issue #1 - Bad Staff Structure Does each group report to a different CXO? Is security viewed as compliance not as an operational group?

Make Checklist Check off first item on checklist Display completed items on checklist

Suggestion #1 – Align Staff Structure - Align Ops and Security under one head at an appropriate level

CEO CIO CSO VP IT VP Sec Dir OP / Sec OR CCB IT Security IT Manager Sec Manager IT Security

Suggestion #1 – Align Staff Structure - Align Ops and Security under one head at an appropriate level - Move audit/ compliance into their own group

Issue #2 – Each Group Has Different Goals Security wants to protect Ops wants max uptime

Suggestion #2 – Align or Merge Goals - Management needs to provide guidance and set priorities - Align with organization mission and goals

Issue #3 – Who is doing what? Does each group have their own procedures for the same situation? Is there confusion over investigative and reporting responsibilities?

Suggestion #3 – Get signed policies - Designate Roles and responsibilities. - List authorized actions. - Develop SOPs

TECHNICAL ISSUES

Technical Issue #1: Patching and Secure Configuration Patch Now! Fix your configs! Don’t you know how important this is?!?! Need to test! That’s not critical! That config breaks the app! Stop talking down to us!

Suggested Solutions - Build and use a test bed - Review and prioritize fixes - Provide fix suggestions - Develop alternative mitigations

Technical Issue #2 – Ops installs new application or Capability Deploy Now! Users Need! Customer Wants! Why don’t you understand operations / business? What? We have no warning / prep! Completely insecure! Opens up holes! Skipped security testing!

Suggested Solution - Build and use a test bed - Involve both sides early in requirements phase - Ensure security understands problem Ops is trying to solve

Technical Issue #3 – Security implements new tool / process Enhance security! More rules! Trust but verify Analyze all things! Don’t you see how this makes us more secure? More things breaking! More users / customers yelling! Slower network! No visible benefit!

Suggested Solution - Build and use a test bed - Get Ops involved early in planning - Eat your own dog food - Phased implementation

ADDITIONAL TIPS

Finishing Touches Help retire a device that’s EOL Use your monitoring tools to augment theirs Respond to their requests for assistance

CONCLUSION

Questions? Craig Bowser @reswob10 reswob10@gmail.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.