Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Forum to an Information Security Plan

Published byMatilda Dennis Modified over 5 years ago

Similar presentations

Presentation on theme: "Information Security Forum to an Information Security Plan"— Presentation transcript:

1 Information Security Forum to an Information Security Plan
From an ISO17799 Audit to an Information Security Plan (the 100 day plans - part 2) By Jim Reiner Sacramento County July 31, 2007

2 The end-goal: a formal information security program
Governance Security Committee & Professionals Employee Training Security Controls Monitoring & Auditing Information Classification Policy and Procedures Business Continuity & Disaster Planning Information Risk Management

3 My focus as the Information Security Officer:
Articulate the overall strategy My Approach: Staging 100 day plans for an immediate focus while achieving longer term objectives. 3rd 100 days May-August Select performance metrics Build a security business plan Put in place security training 1st 100 days Oct-Jan Survey managers & staff Set a goal and a strategy Select a security audit checklist 2nd 100 days Jan-April ISO info security audit Update security intranet site ID who does what relative to security 4th 100 days Aug-Nov Publish updated policies Budget for the Security Program Manage the security program

4 Packet provided to assist with ideas, approaches
50 ISF Jan 60 CCISDA Mar 80 GTC May All figured out? No, but as I mingle with security folks and their challenges I wondered…

5 Audit IS Plan IS Pgm

6 We used the ISO 17799 Checklist
Information Security Management Audit Check List Governance Information Security Professionals Employee Security Training Security Controls Monitoring & Auditing Policies, Standards, and Procedures Business Continuity & Disaster Planning Information Classification Information Risk Management Audit

7 ISO 17799 Audit Initial Results
10 audit topics – 127 individual items 32 57 38

8 Audit Final Results 77 21 High Risk 50

9 Organizing the initiatives
Administrative Physical Technical

10 IS Plan 1 of 4

11 Value – Risk Mitigation Level of Effort – Impact on OCIT
Low High IS Pgm Low High Level of Effort – Impact on OCIT

12 Value – Risk Mitigation Level of Effort – Impact on OCIT
Ratings of 2007 OCIT Security Plan Initiatives List 1 2 Remote data access Laptop encryption Security awareness Shredding DR plans ISM V.4 Emergency response plan Hard key mgmt Pandemic flu plan Value – Risk Mitigation Low High encryption RFP standards Test data Security metrics Loading dock Application security OCIT compliance Network Access Ctl Incident reporting MPOE security Security architecture 3 4 Bureau procedures OCITSC charter Login banners Vendor access Confidentiality agreements Panic button Offsite data Asset inventory Parcel inspection Clean desks Backup encryption Low High Level of Effort – Impact on OCIT Completed In progress Not started

13

14 Network Vulnerability Assessment and Mitigation
A CASE STUDY This is a case study about Sac county as well as VA Chas Lesley – 10 yrs service, SPT, enterprise security engineer and architect Mike Walters -

15 Additional information we think you will find helpful.
Not all covered here.

Download ppt "Information Security Forum to an Information Security Plan"

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.

Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Steering Committee CSRIC Working Group 2A Cyber Security Best Practices October 7, 2010.

Steering Committee CSRIC Working Group 2A Cyber Security Best Practices October 7, 2010.
Information Security Training for Management Complying with the HIPAA Security Law.

Information Security Training for Management Complying with the HIPAA Security Law.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager 1 2 3 4 5 County of.

Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager County of.
Security and Privacy At The Human Resources Advisory Meeting Marcos Vieyra Chief Information Security Officer Division of Information Security Sarah Morrow.

Security and Privacy At The Human Resources Advisory Meeting Marcos Vieyra Chief Information Security Officer Division of Information Security Sarah Morrow.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Similar presentations

Ads by Google