the truth about information security in...
TRANSCRIPT
-
FRSECURE.COM
The Truth
About Information Security
in SchoolsRegion V 23rd Annual Spring Conference - April 4th, 2013
Evan Francen CISSP, CISM, CCSK
President of FRSecure, LLC
-
FRSECURE.COM
Thank You for Attending!
&
Many Thanks Region V for Inviting Us!
-
FRSECURE.COM
Before We Get Started• This is not your typical presentation.
• Your thoughts on this topic are just as important as ours.
• You are encouraged to participate!
I will ask you questions, if you don’t ask me some!
-
FRSECURE.COM
-
FRSECURE.COM
About FRSecure• Information security consulting is all we do.
• Established in 2008 by people who have earned their
stripes in the field.
• We help small to medium sized organizations solve
information security challenges.
“We get paid to tell people the truth”
-
FRSECURE.COM
Who Is This Guy? Evan Francen: CISSP, CISM
• President & co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
-
FRSECURE.COM
How Do “Normal” People Feel
About Information Security?
-
FRSECURE.COM
What is Driving Information Security In
Schools?
What is this? ����
• The Federal Trade Commission
• FERPA – Family Educational Rights & Privacy Act
• COPPA – Children’s Online Privacy Protection Act
• Common Threats & Vulnerabilities
• Fear of Non-Compliance
-
FRSECURE.COM
Information Security Ten
Commandments
“rules of the game”
Our Information Security Ten Commandments are Principles.
-
FRSECURE.COM
• Schools are no different…well, kind of.
• Some risks are worth taking.
• Not all risks require remediation.
• All information security expenses need
justification.
• There is no ROI in information security,
right?
#1 – A Business is in Business to
Make Money
-
FRSECURE.COM
• It is NOT an IT issue!
• Executive management probably doesn’t need the detailed specs of
your new NGFW.
• Executive management does need to be aware of strategic direction
and most significant risks.
• Ultimately, it’s executive management that’s responsible.
#2 – Information Security is a
Business Issue
-
FRSECURE.COM
• Information security is more effective if people enjoy it.
• Look for opportunities to make information security fun.
• Laugh at yourself sometimes (not always others).
• We can be serious AND fun. They don’t have to be exclusive.
#3 – Information Security is Fun
-
FRSECURE.COM
• It’s easier to go through your secretary than it is to go through your
firewall.
• People don’t read your policies.
• Social engineering success rates are more than 8x better than
technology penetration success rates.
#4 – People are the biggest risk
-
FRSECURE.COM
“Excuse me, Sir. I think you dropped your gun.”
-
FRSECURE.COM
What is the Weakest Link in
Information Security?Trevor
-
FRSECURE.COM
Don’t be Trevor.
-
FRSECURE.COM
#5 – “Compliant” and “Secure”
are Different.
-
FRSECURE.COM
#6 – There is No Common Sense
in Information Security• What makes perfect sense to you,
probably doesn’t make perfect sense
to everyone else.
• Users feel justified in their actions.
• Try to see the world the way they see
it.
-
FRSECURE.COM
#7 – “Secure” is Relative
• Have you ever been asked “Are we secure?” or “Are you secure?”
• We can only answer “how” secure we are.
• Find metrics that you can measure.
• Without measurement you don’t know.
-
FRSECURE.COM
#8 – Information Security Should
Help Drive Business• We have a bad rap for getting in the way of business, and for
being a cost-center.
• What opportunities does information security have for enabling
business and adding to the bottom line?
• Information security objectives must align with business
objectives.
• You won’t succeed unless you engage with key business process
owners.
-
FRSECURE.COM
#9 – Information Security is Not
One Size Fits All
• What works for one, may not work for another:
- Policies
- Technologies
- Compliance
• Information security is a custom solution
-
FRSECURE.COM
-
FRSECURE.COM
The Ten Commandments Recap1. A Business is in Business to
Make Money.
2. Information Security is a
Business Issue.
3. Make Information Security
Fun.
4. People are the Most
Significant Risk.
5. “Compliant” and “Secure”
are Different.
6. There’s No Common Sense in
Information Security.
7. “Secure” is Relative.
8. Information Security Should
Drive Business.
9. Information Security is NOT
One Size Fits All.
10. There is no “Easy Button.”
-
FRSECURE.COM
Solutions? Here’s a Start…
1. Establish roles & responsibilities.
2. Conduct an objective assessment.
3. Cover the basics.
4. Document what your doing and why.
5. Communicate your expectations regularly.
*Seek Assistance*
-
FRSECURE.COM
Announcement – “Truth of the Future”
In the Fall of 2013, FRSecure plans to partner with
High Schools open to developing an information
security extra-curriculum for aspiring students.
• Demand for Information Security skills is growing quickly.
• Awareness to Information Security career paths is stagnant.
*If you have interest or ideas on this topic,
please contact us.*
-
FRSECURE.COM
Weakest Link - Real Stories
• “Physical Access to Fortune 100 Company Headquarters”
• “Password Almost Cost Someone Their Retirement”
• “Police Help Me Carry Out an Attack”
• “I Don’t Really Work for the Power Company”
-
FRSECURE.COM
Thank You!Evan Francen CISSP, CISMPresident
952-467-6384 (direct)
John HarmonAccount Manager
952-467-6387 (direct)
• Information Security Assessments
• Compliance Assessments (i.e. HIPAA,
GLBA, PCI, FDA etc.)
• Customer Required Assessments
• Internal Network Vulnerability
Assessments
• External Network Security Assessments
• Penetration Testing and Social Engineering
• Information Security Program Development
• Security Policies
• Training & Awareness
• BC/DR Plans
• Outsourced Security Resources
www.FRSecure.com