FRSECURE.COM

The Truth

About Information Security

in SchoolsRegion V 23rd Annual Spring Conference - April 4th, 2013

Evan Francen CISSP, CISM, CCSK

President of FRSecure, LLC

FRSECURE.COM

Thank You for Attending!

&

Many Thanks Region V for Inviting Us!

FRSECURE.COM

Before We Get Started• This is not your typical presentation.

• Your thoughts on this topic are just as important as ours.

• You are encouraged to participate!

I will ask you questions, if you don’t ask me some!

FRSECURE.COM

FRSECURE.COM

About FRSecure• Information security consulting is all we do.

• Established in 2008 by people who have earned their

stripes in the field.

• We help small to medium sized organizations solve

information security challenges.

“We get paid to tell people the truth”

FRSECURE.COM

Who Is This Guy? Evan Francen: CISSP, CISM

• President & co-founder of FRSecure

• 20 years of information security experience

• Security evangelist with more than 700 published articles

• Experience with 150+ public & private organizations.

FRSECURE.COM

How Do “Normal” People Feel

About Information Security?

FRSECURE.COM

What is Driving Information Security In

Schools?

What is this? ����

• The Federal Trade Commission

• FERPA – Family Educational Rights & Privacy Act

• COPPA – Children’s Online Privacy Protection Act

• Common Threats & Vulnerabilities

• Fear of Non-Compliance

FRSECURE.COM

Information Security Ten

Commandments

“rules of the game”

Our Information Security Ten Commandments are Principles.

FRSECURE.COM

• Schools are no different…well, kind of.

• Some risks are worth taking.

• Not all risks require remediation.

• All information security expenses need

justification.

• There is no ROI in information security,

right?

#1 – A Business is in Business to

Make Money

FRSECURE.COM

• It is NOT an IT issue!

• Executive management probably doesn’t need the detailed specs of

your new NGFW.

• Executive management does need to be aware of strategic direction

and most significant risks.

• Ultimately, it’s executive management that’s responsible.

#2 – Information Security is a

Business Issue

FRSECURE.COM

• Information security is more effective if people enjoy it.

• Look for opportunities to make information security fun.

• Laugh at yourself sometimes (not always others).

• We can be serious AND fun. They don’t have to be exclusive.

#3 – Information Security is Fun

FRSECURE.COM

• It’s easier to go through your secretary than it is to go through your

firewall.

• People don’t read your policies.

• Social engineering success rates are more than 8x better than

technology penetration success rates.

#4 – People are the biggest risk

FRSECURE.COM

“Excuse me, Sir. I think you dropped your gun.”

FRSECURE.COM

What is the Weakest Link in

Information Security?Trevor

FRSECURE.COM

Don’t be Trevor.

FRSECURE.COM

#5 – “Compliant” and “Secure”

are Different.

FRSECURE.COM

#6 – There is No Common Sense

in Information Security• What makes perfect sense to you,

probably doesn’t make perfect sense

to everyone else.

• Users feel justified in their actions.

• Try to see the world the way they see

it.

FRSECURE.COM

#7 – “Secure” is Relative

• Have you ever been asked “Are we secure?” or “Are you secure?”

• We can only answer “how” secure we are.

• Find metrics that you can measure.

• Without measurement you don’t know.

FRSECURE.COM

#8 – Information Security Should

Help Drive Business• We have a bad rap for getting in the way of business, and for

being a cost-center.

• What opportunities does information security have for enabling

business and adding to the bottom line?

• Information security objectives must align with business

objectives.

• You won’t succeed unless you engage with key business process

owners.

FRSECURE.COM

#9 – Information Security is Not

One Size Fits All

• What works for one, may not work for another:

- Policies

- Technologies

- Compliance

• Information security is a custom solution

FRSECURE.COM

FRSECURE.COM

The Ten Commandments Recap1. A Business is in Business to

Make Money.

2. Information Security is a

Business Issue.

3. Make Information Security

Fun.

4. People are the Most

Significant Risk.

5. “Compliant” and “Secure”

are Different.

6. There’s No Common Sense in

Information Security.

7. “Secure” is Relative.

8. Information Security Should

Drive Business.

9. Information Security is NOT

One Size Fits All.

10. There is no “Easy Button.”

FRSECURE.COM

Solutions? Here’s a Start…

1. Establish roles & responsibilities.

2. Conduct an objective assessment.

3. Cover the basics.

4. Document what your doing and why.

5. Communicate your expectations regularly.

*Seek Assistance*

FRSECURE.COM

Announcement – “Truth of the Future”

In the Fall of 2013, FRSecure plans to partner with

High Schools open to developing an information

security extra-curriculum for aspiring students.

• Demand for Information Security skills is growing quickly.

• Awareness to Information Security career paths is stagnant.

*If you have interest or ideas on this topic,

please contact us.*

FRSECURE.COM

Weakest Link - Real Stories

• “Physical Access to Fortune 100 Company Headquarters”

• “Password Almost Cost Someone Their Retirement”

• “Police Help Me Carry Out an Attack”

• “I Don’t Really Work for the Power Company”

FRSECURE.COM

Thank You!Evan Francen CISSP, CISMPresident

Evan@FRSecure.com

952-467-6384 (direct)

John HarmonAccount Manager

JHarmon@FRSecure.com

952-467-6387 (direct)

• Information Security Assessments

• Compliance Assessments (i.e. HIPAA,

GLBA, PCI, FDA etc.)

• Customer Required Assessments

• Internal Network Vulnerability

Assessments

• External Network Security Assessments

• Penetration Testing and Social Engineering

• Information Security Program Development

• Security Policies

• Training & Awareness

• BC/DR Plans

• Outsourced Security Resources

www.FRSecure.com