Security Program Guidance and Establishing a Culture of Security

Making a Cultural Change for
Information Security
Presented by
John Kelley and Doug Copley
25 MAR 2017
Note to Reviewer
Much of this document is specific to Sequris Group information systems, policies, procedures, and IT
security posture. As such, the contents of this presentation are classified as CONFIDENTIAL and cannot
be copied, reused, or distributed without express written authorization from Sequris Group.
Sequris Group, LLC Content All Rights Reserved 2011-2017

WWW.SEQURISGROUP.COM
© 2017 | 2
Contact Information
John Kelley
Sequris Group, LLC
(248) 837-1430
C-586-907-9751
jkelley@sequrisgroup.com
Doug Copley
CISO | CPO | Strategist | Advisor
(517) 204-5701
douglas.copley@gmail.com
https://linkedin.com/in/dcopley
https://twitter.com/DouglasCopley

© 2017 | 4
Who is the CISO?
1. Security Leader? IT Leader? YES, Depends
2. Business-Savvy Executive? YES
3. Risk Leader? YES
4. Compliance Leader? Depends
5. Team Leader, Coach, Mentor? YES
6. Therapist? YES
7. McGyver? YES

© 2017 | 5
CISO – The Impossible Job? Or Just Thankless
Data
Network
Databases
Systems
Endpoints
Messaging
& Content
Application
Infrastructure
Policy definition Enforcement Monitoring &
response
Audit/Measurement
Compliancemonitoring
Firewall
VPN
Database
encryption
Database
security and monitoring
Storage security
Firewall/Host IPS
Web security gateway
Antivirus/Antispyware
Device control
Firewall/Host IPS
Hard drive encryption
XML gateway
Digital rights
management
Identity&AccessManagement
Anti-spam
AssetManagement
Mobile device security
Switch/Router Security
Web security
VulnerabilityManagementApplication
Assessment
DigitalInvestigation&Forensics
Wireless
monitoring
SecurityIncidentManagement
Patch management
IDS/IPSNAC
Application firewall
Enterprise encryption &
key management
Data Leak
Prevention
Forensics
Enterprise
directory
Web
SSO
Email content
filtering Antivirus
StrongAuthentication
App encryption
RiskManagement
Basic Auditing

© 2017 | 6
Requires ability to work in uncertainty
Day 1
You are here…
Arranging deck chairs…
What Some Days Felt Like
http://www.workinginuncertainty.co.uk/

© 2017 | 7
CISO Priorities in 2017
• Managing information risk
• Executive business partner (enable)
• Successfully navigating the landscape
(business, regulatory, threat)
• Risk-based strategy & vision
• Leadership (security, team, change)
• Drive the culture of risk identification
Primary Focus: Enable the business while
managing risk & compliance

© 2017 | 8
KEEP THINGS SIMPLE

© 2017 | 9
Practical Steps for a CISO
1. Decide on a framework (ISO, NIST, HiTrust, etc.)
2. Build Relationships & Understand Business
Priorities
3. Understand the technical environment, critical
information and information flows
4. Identify & assess areas of risk
5. Governance Committee Prioritizes Actions
6. Implement controls
7. Measure control effectiveness

© 2017 | 10
Periodic Security Risk Assessment
• Can provide a risk baseline
• Can provide an estimated compliance baseline
• Provides process to measure progress
• Must consider all “reasonably foreseeable risks”
• Should have close alignment to regulatory
expectations and guidance
• Make sure scope is complete so you don’t end up
doing another one to catch areas
• Will be primary input into security roadmap

© 2017 | 11
8. Evaluate the Risks
• Determine which threats and vulnerabilities apply to
each set of information
• Ask yourself the worse case scenario.
• Assess likelihood and impact
• Do you have controls that mitigate some risk?
• Use Finance to help measure risk in $$
• Rank risks – is there a documented tolerance?
• Evaluate cost and effort of additional mitigating
controls
• Let governance committee decide actions

© 2017 | 12
Managing Cyber Risk
• Key is appropriately managing the risks
• Policies & procedures (administrative)
• Technology tools (technical)
• Control physical access (physical)
• Risk/Cost decision: Do we need to:
• Prevent it from happening?
• Detect & respond when it happens?
• Would it automatically get corrected?
• Do we get cyber insurance?
• Is there a strong culture of openness?

© 2017 | 13
Perspective: Users - Asset or Liability?
Liability
• Aren’t aware of policies
• Careless; make
mistakes
• Contract malware
• Steal company secrets
• Sabotage systems
• Falsify data
• Steal identities
Asset
• Help educate others
• Police their
departments
• Report risky behavior
• Help improve policies
• Help remediate events
• Pilot new controls
• Suggest new
processes

© 2017 | 14
UNDERSTAND THE NEEDS OF
EXECUTIVE LEADERSHIP

© 2017 | 15
Six Cybersecurity Questions Boards Should Ask
1. Does the organization use a security framework?
2. What are the top five risks the organization has
related to cybersecurity?
3. How are employees made aware of their role related
to cybersecurity?
4. Are external and internal threats considered when
planning cybersecurity program activities?
5. How is security governance managed within the
organization?
6. In the event of a serious breach, has management
developed a robust response protocol?
© 2014 The Institute of Internal Auditors Research Foundation

© 2017 | 16
ISO 27002:2013 Framework

© 2017 | 17
NIST Cybersecurity framework

© 2017 | 18
CIS Critical security controls (used to be Sans top 20)

© 2017 | 19
Be concise and transparent:
1. Asset Management
2. Network Access Control
3. Security Event Monitoring
4. User Education
5. Business Continuity
Top Five Cybersecurity Risks

© 2017 | 20
Example: Initiatives To Change 2016 Risk Levels
Asset Management (red to yellow)
• Infrastructure – finish deployment of existing tools
• Setup device discovery scans in Qualys
• Establish inventory process for network medical devices
Operations Management Security (red to yellow)
• Scale SIEM platform for Beaumont Health
• Greatly expand vulnerability management program
• Mature anti-malware management practices (follow-up)
• Implement web application scanning (already licensed)
• Drive security planning into SDLC process

© 2017 | 21
Executive Dashboard
• Intended to convey a high-level status of the
program to C-level executives and the Board
• Security Dashboard should convey:
• Status of regulatory compliance
• Capability, Maturity and Implementation level of program
• Key areas of information risk to the organization
• Current initiatives and future state posture
• External ties and intelligence information
• Must answer the question “Is our Information
Security program effective?”

© 2017 | 22
InfoSec
Management
Program (IS)
Access
Control (AC)
Human
Resources
Security (HR)
Risk
Management
(RM)
Security
Policy (SP)
Organization
of Information
Security (OI)
Compliance
(CO)
Asset
Management
(AM)
Physical
Security (PS)
Communication
s Security (CS)
Systems
Acquisition,
Development,
and
Maintenance
(SD)
Incident
Management
(IM)
Business
Continuity
(BC)
Information Security (ISO) Risk Dashboard
Cryptography
(CR)
Operations
Management
(OM)
Supplier
Relationships
(SR)
4 22 2 4
3 3 2
0 5
11
0 1
1 2 7 0

Risks and Efforts by Framework Area
23
Information Security Management
Human Resource Security
Access Control
Security Policy
Risk Management
Compliance
Organization of Information Security
Asset Management
3 4
17 22
1 2
5 4
12 3
0 3
0 11
5 2
#Risk Items/#Open Initiatives

© 2017 | 24
RELATIONSHIPS AND
COMMUNICATION

© 2017 | 25
Example Security Governance
Organizational Structure
• Information Security Officer reporting relationship to CIO & CCO
IT Risk Register
• Contains identified risks, deficiencies, control gaps and audit
findings
• Visible to Corporate Compliance and Internal Audit
• 155 closed, 5 pending closure, and 75 open
Committees
• Information Access, Privacy and Security
• Business Ethics and Corporate Compliance
• Research Institute Compliance
• Payment Systems Governance

© 2017 | 26
Culture – All Hands on Deck - Incident Response
• Breaches are inevitable
• Effective response requires engagement of
senior stakeholders across the organization
(relationships)
• Have a well-documented process
• How quickly will you recognize an incident?
• Does everyone understand their role?
• Practice incident response
• Continuously improve based on exercises
• Be prepared – it will happen

© 2017 | 28
Why Track Program Metrics?
• Integral to a program’s governance
• Keeps staff & stakeholders aligned
• Supports continuous improvement
• Can show resource gaps or shortages
• Manage service provider SLAs
• Provides assurance to executives & the Board
• Provides basis for comparative benchmarking
“You can’t manage what you can’t measure.”
- W. Edwards Deming

© 2017 | 29
Building Security Without Boundaries
• Resources are ALWAYS constrained
• Reason for risk-based prioritization
• Outsource if necessary, but commodity functions
• Reward innovation (think like there is no box!)
• May increase productivity
• Can help improve morale
• Look for external funding
• Federal & State grants may be available
• May be able to participate in outside initiatives

© 2017 | 30
Leverage Key Partnerships
Build a culture of collaboration that actively engages
those outside your organization for best practices
In healthcare, key resources are:
1. Peer organizations – non-profit and for-profit
2. State - Dept. of Community Health
3. State - Health Information Exchanges
4. State - Health & Hospital Association
5. HiTrust & NH-ISAC
6. Federal – Health & Human Services
7. Federal – FBI & InfraGard
8. Federal – Homeland Security

© 2017 | 33
Sequris Message
Sequris Group is a full service Information
Security Company with a Proven and Quantifiable
IT Security Framework that allows our clients to
achieve Measurable Results and a Guaranteed
Increase to their Security Profile and Posture.

© 2017 | 34
Survey June 2016 by Dark Reading and Black Hat USA conference
predominantly large companies with 60% working with 1,000+employees
 IT professionals believe there is a 40% chance that
a security breach will occur in the next 12 months
 Too many rapidly evolving vulnerabilities
 A rise in social engineering attacks directly at
targeted organizations
 What to do about Ransomware
 Resources for organizations to deal with all of the
cybersecurity concerns
 IoT
 Ransomware
Current State of the Industry

© 2017 | 35
Top Executive Concerns
 Attacks directly targeted at our organization
 Effort to stay in compliance
 Phishing social network exploits social engineering
 Accidental data leaks by end-users
 Effort to measure the organizations security posture
 Data theft by insiders
 Mistakes or attacks that cause organization to lose compliance
with industry regulations
 Espionage
 Ransomware
 Employee Training and Awareness
 A Solid Security Plan
Black Hat Survey 2016

© 2017 | 36
 Established in 1996
 More than 800 clients
 Over 3,000 projects completed
 National footprint
 HQ in Royal Oak, Michigan
 Sales and service offices
 Royal Oak, Michigan
 Denver, CO
 Phoenix, Arizona
 SOC – Royal Oak
 Data Center – Phoenix
About Sequris Group

© 2017 | 37
Technology Partners

© 2017 | 38
© 2017
THE SEQURIS APPROACH

© 2017 | 39
Making a Cultural Change
Baseline Metrics and Gap Analysis
A Roadmap to Success
Aligning Metrics with Program Goals: People,
Process and Technology
Program Improvement Reporting and Display
Participate and Share with Comparative
Analytics
A Comprehensive Suite of Security Services

© 2017 | 40
Where do you stand now?
Opportunity for
Improvement
Explicit
Risk Tolerance &
Security Policy
(Requirements)
Ambiguous
Reactive Proactive
Security Operations
(People, process,
technology)
Chaos
Predictive
Optimize

© 2017 | 41
 Q|Frame
TM
is a holistic and proven information security framework that
aligns risk tolerance with security operations.
 Q|Frame
TM
provides the foundation for identifying metrics, measurements,
and reporting.
 Q|Frame involves an IT security gap analysis, allowing your organization
to consider it’s current level of maturity and improve it’s security profile
 Q|Frame
TM
is a proprietary model that allows us to ‘insert’ relevant
security controls for any client environment and regulatory posture.
 Q|Frame is based upon 4 recurring phases.
 Determine Baseline
 Priority Action Map
 Engage People, Processes, Technology
 Measure Effectiveness
Quantifiable Information
Security Framework to improve
your Information Security
posture.

© 2017 | 42
Q|FrameTM
Dashboard
Inventory of
Authorized Devices
Inventory of
Authorized
Software
Secure
Configurations for
Computers
Secure
Configurations for
Network Devices
Boundary Defenses
Analysis of Security
Audit Logs
Application
Software Security
Controlled Use of
Administrative
Privileges
Controlled Access
Based on Need to
Know
Vulnerability
Assessment and
Remediation
Account Monitoring
and Control
Malware Defenses
Network Access
Control
Wireless Device
Control
Data Loss
Prevention
Secure Network
Engineering
Penetration Tests
and Red Team
Exercises
Incident Response
Capability
Data Recovery
Capability
Security Skills
Assessment
100%
90
80
70
60
50
40
30
20
10
0 %
COEFFICIENT
CAPABILITY
MATURITY 20 Critical Cyber Security Controls

© 2017 | 43
What are your Regulatory or Business Drivers ?
 HIPAA - Health Insurance Portability and Accountability Act
 GLBA - Gramm-Leach-Bliley Act
 PCI DSS - Payment Card Industry Data Security Standard
 SOX - Sarbanes-Oxley (SOX 404)
 HITRUST – Health Information Trust Alliance CSF Controls
 SANS – Information Security Technology Institute and
Training
 CJIS – Criminal Justice Information Services Security Policy
 ISO/QS – International Organization for Standardization
 NIST – National Institute of Standards Technology
US Department of Commerce

© 2017 | 44
Initial
Managed
Defined
Quantitatively
Managed
Optimizing Focus on incremental
process improvement.
Process overall is
measured and controlled.
Processes are characterized for the
organization and generally proactive with defined
goals. (Projects tailor their process from organization’s
standard)
Process is characterized for only a few projects
and is most often reactive.
Processes are unpredictable,
poorly controlled and highly reactive.
Characteristics of Maturity Levels in Security
Software Engineering Institute (SEI) CMMI® for Services, Version 1.3 CMMI-SVC, V1.3 CMMI Product Team Improving processes for providing better services November 2010
Software Engineering Process Management Program Unlimited distribution subject to the copyright. http://www.sei.cmu.edu/reports/10tr034.pdf

© 2017 | 46
Priority Action Map
Jan Feb Mar Apr May June July
 The timeline outlines successive security enhancements across the organization.
 Some projects will overlap because of general information gathering, etc.
 Timelines are estimates; however, a .8 confidence factor is applied.
Security Task Force Meeting Calibrate Next Twelve Months
InfoSec Procedure Creation
Wireless Security & PCI Review
End-user Computing Security
Organizational Security
Remote/Mobile Security
Incident Response Plan
Network Security
Asset Classification/Mgmt

© 2017 | 47
Wireless Network Security Enhancements (Example)
Project Narrative: Wireless networks extend the traditional boundaries of local area networks. With that in mind, it is the goal
of this project to identify and implement essential wireless security standards for both private and public wireless network
connectivity for XXXX Corp. Essential wireless security practices will be discussed, with enhancements agreed upon and
implemented.
Estimated Duration: 4 weeks
Estimated Effort (days/$): 12 - $16,800
Milestones / Schedule:
Date* Milestone
6/15 All current wireless network hardware & software reviewed for security
feature sets; security gaps identified and documented.
6/20 Hardware/software options required for wireless security
enhancements are agreed upon.
6/29 First phase (testing) of wireless security enhancements complete.
7/7 Deployment plan of wireless security enhancements completed;
implementation begins.
7/14 Wireless security enhancements implementation complete.
Team Leader:
Team Members:
Deliverables:
• Secure wireless network for
employee access, based on role
• Secure wireless network for public
access, based off of essential
security standards
• Wireless security procedure
(written, as part of organization
InfoSec procedure)
Q|FRAME ISMS Confidential: Do Not Copy Or Distribute Without Approval

© 2017 | 48
Best Practices: Steps to Optimization
• Increase Efficiency
• Reduce Cycle Time
• Clear Next Actions
• Optimal Resource Allocation
• Business Drivers
• Client Requirements
3. Measure Effectiveness
2. Engage Priority Action Map
1. Establish Control Objectives

© 2017 | 54
SUMMARY
Determine
Baseline
Priority
Action Map
Engage People,
Process,
Technology
Measure
Effectiveness
• Conduct staff
interviews
• Align control
objectives with
client
requirements
• Perform gap
analysis
• Clear tactics
• Commitment to
timeline and
action
• Visibility &
attribution
• Roles &
responsibilities
• Document
processes
• Align metrics with
program goals
• Reduce cycle
time
• Increase
efficiency
• Objective
reprioritization
• Dashboard
• Contract ready
Comparative
Analytics
• Data Capture
• Resource
Optimization
• Comparison and
Participation
• Performance
Certainty
• Cycle Time

© 2017 | 55
Benefits
 Informed Choices – Know what you don’t know
 Proven Methodology – It works & we guarantee
results
 Interoperability – w/existing business processes
 Establishes Due Diligence – We provide the job of
asking, analyzing & measuring overall IT security
effectiveness
 Regulatory Umbrella – Framework applied to your
organizations specific regulatory requirements
 Enables Efficiency – Constantly making
improvement
 Market Differentiator – No breaches is a good thing
 Financial Alignment – You will know why, what and
how much you are spending over 12, 24 and 36
months and how effective you are at reducing the
risks to your organization
Quantifiable Information
Security Framework to
improve your Information
Security posture.

© 2017 | 57
Contact Information
John Kelley
Sequris Group, LLC
(248) 837-1430
C-586-907-9751
jkelley@sequrisgroup.com
Doug Copley
CISO | CPO | Strategist | Advisor
(517) 204-5701
douglas.copley@gmail.com
https://linkedin.com/in/dcopley
https://twitter.com/DouglasCopley

Security Program Guidance and Establishing a Culture of Security

More Related Content

What's hot (20)

Similar to Security Program Guidance and Establishing a Culture of Security (20)

Recently uploaded (20)

Security Program Guidance and Establishing a Culture of Security