Security Governance Technology Executive Club

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Information Security Governance
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Technology Audit
Internal Auditing and Outsourcing
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Consultancy.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Roles and Responsibilities
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Working with HIT Systems
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Three Lines of Defense and Business Continuity February 18, 2016.
Business Continuity Planning 101
Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.
Risk Management Dr. Clive Vlieland-Boddy. Managements Responsibilities Strategy – Hopefully sustainable! Control – Hopefully maximising profits! Risk.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Physical Security Governance Model
Team 1 – Incident Response
and Security Management: ISO 28000
I have many checklists: how do I get started with cyber security?
John Carlson Senior Director, BITS
Cyber Security in a Risk Management Framework
GRC - A Strategic Approach
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Security Policies and Implementation Issues
Presentation transcript:

Security Governance Technology Executive Club Patti Suarez, CISSP Global Information Security Manager Wm. Wrigley Jr. Company

About the presenter Patti Suarez Global Information Security Manager for Wm. Wrigley Jr. Company 15 years of experience in information security With financial services, health care and telecommunications industries Certified Information System Security Specialist Graduate of Roosevelt University, B.S. Telcom

Objectives for today’s presentation Informative What are the drivers for Information Security at Wrigley? Explain how Wrigley’s Information Security foundation is standards based Recent Threat statistics Wrigley’s Global Information Security Model

The Time for Information Security is Now External Drivers Changing customer structures E-commerce opportunities Changing market expectations Technology Development Internal Drivers Desire to meet changing customer needs and increase speed-to- market Need for global information sharing

Information Security is not just technology Wrigley’s Security Program: An integrated approach to selecting and deploying tools, operational processes and organizational roles. Regulations have placed the final accountability for securing corporate and customer information on the shoulders of the Board of Directors. Gramm-Leach-Bliley HIPAA EU Privacy Duty to Disclose Security Breach – CA COPPA (Childrens’ Online Privacy Protection Act) Sarbannes Oxley Act Federal Information Security Management Act

Information Security is not just technology Everyone in Wrigley needs to have a basic understanding of information security requirements. Specific responsibilities across the organization need to be clear.

The Threats Are Real Three percent of online sales will be lost because of credit card fraud. (Dec 05,2002) More than 7,000 viruses detected this year (Dec 12,2002) Internet attacks against public and private organizations jumped 28 percent from January to June 2002. (Oct 24,2002) Roughly 180,000 Internet-based attacks hit U.S. businesses in first half of 2002. (Jul 09,2002) Security breaches occur at 85% of U.S. businesses and government organizations. (Mar 13,2001) Reports on inside security breaches up 7 percentage points over 2000. (Oct 16,2001) Source: CSO Magazine

Wrigley’s Information Security Mission The Global IT Security mission is to provide information security leadership, direction and guidance through mutual understanding of business enablers and tolerance of risk. We will accomplish this by implementing industry standards in the areas of perimeter defense, risk mitigation, policy creation, education, awareness, monitoring and response to security events. Through security best practices we will ensure the confidentiality, availability, and integrity of our systems and data in the areas of people, technology and process.

Information Security drives value into Wrigley’s Initiatives Increases Shareholder Value Protects Brand Brings value to business relationships Trusted Computing Security Program Physical/Logical Access Controls

Wrigley’s Information Security Program Based On International Standards ISO 17799 internationally recognized information security standard. A comprehensive set of controls comprising best practices in information security. Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce. Facilitates trading in a trusted environment.

Wrigley’s Information Security Model Architecture Operations Prevention Governance L A Y E R S Detection E L M N T S Verification Response Tools Process Roles Fronts

Information Security Program Elements Governance: Defining and overseeing the program Security policy, standards and guidelines Organizational roles and responsibilities Assessment of and security plans to control risk Metrics and processes to determine how well the organization is adhering to information security policies, processes, procedures, guidelines Access controls - - who has access to sensitive systems and data Security awareness programs

ISO 17799 BENCHMARKING IN THE AREA OF ORGANIZATIONAL SECURITY Is there a liaison with external information security personnel and organizations including industry and/or government security specialists; law enforcement authorities; IT service providers; telecommunications authorities? Has a capability been established that provides specialized information security advice? Has a management approval process been established to authorize new IT facilities from both a business and technical standpoint? Has a process been established to coordinate implementation of information security measures? Are responsibilities for accomplishment of information security requirements clearly defined? Has a forum been established to oversee and represent information security?

ISO 17799 BENCHMARKING IN THE AREA OF ORGANIZATIONAL SECURITY Continued Have the security requirements of the information owners been addressed in a contract between the owners and the outsource organization?  Has an independent review of information security practices been conducted to ensure feasibility, effectiveness, and compliance with written policies? Are security requirements included in formal third party contracts? Have specific security measures been identified to combat third party connection risks? Have third party connection risks been analyzed?

Information Security Program Elements Operations: Administering and enforcing Information Security policies and access controls Controls for physical/logical access to information assets Processes and procedures to minimize the likelihood of disruptions, recover from disasters, and respond to security incidents

Information Security Program Elements Architecture: Designing and implementing Development methodology for secure information systems Systems and controls that limit the risk of unauthorized access to business assets

Information Security Layers Across the enterprise there should be layers of protection to ensure that the risks are managed effectively. Each security layer supports the next to minimize the probability of security problems and minimize the exposure Wrigley faces when incidents do occur. Prevention: Protecting information through effective use of technology, processes and organizational responsibilities to limit the potential of a threat being realized. Detection: Manual and automated mechanisms to identify and isolate security problems. This includes active and passive monitors and analytical procedures.

Information Security Layers Continued Verification: Manual and automated mechanisms to ensure that required security measures are in place. This can take forms including vulnerability assessments, audit and monitoring tools. Response: When prevention measures fail, Wrigley needs a rapid, pragmatic response capability. This requires planning for containment, triage and direct response.

Information Security Fronts Information Security is not just a technology problem. There is no “silver bullet” to make a dramatic improvement in the security posture of Wrigley. The posture depends on developing, enforcing and maintaining safe computing practices on the unified fronts of Tools, Processes and Roles. Roles: Creating the roles that ensure clear responsibilities and accountability in business units, Information Security organization, suppliers and business partners. Eliminating gaps and reducing overlaps to ensure that requirements are met. Processes: Establishing repeatable solutions or compensating controls for business risks, ensuring that they are measured regularly, and periodically aligning business and information security goals. Tools: Protecting information through effective use of technology (e.g. firewalls, authentication and authorization mechanisms) that result in reusable solutions to business risk scenarios.

Wrigley’s Security Program In Perspective Information Security Vision and Strategy Business Initiatives Threats Enterprise Architecture Strategy Legislation Vulnerability & Risk Assessment Security Policy Senior Management Commitment Training and Awareness Security Architecture and Technical Standards Administrative and End-User Guidelines and Procedures Enforcement Process Monitoring Process Recovery Process Information Security Management

Information Security drives value into Wrigley’s Initiatives Increases Shareholder Value Protects Brand Brings value to business relationships Trusted Computing Security Program Physical/Logical Access Controls

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.