1 / 11

A Year Affair with Security: the Development of a Security Program and Manager

A Year Affair with Security: the Development of a Security Program and Manager. Holt, Laurence Proceedings of the 3rd annual conference on Information security curriculum development, 130-135, 2006 Presented by Tamera Goodman March 8, 2010. Organization. Introduction Initial State

rrasmussen
Télécharger la présentation

A Year Affair with Security: the Development of a Security Program and Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Year Affair with Security: the Development of a Security Program and Manager Holt, LaurenceProceedings of the 3rd annual conference on Information security curriculum development, 130-135, 2006Presented by Tamera GoodmanMarch 8, 2010

  2. Organization • Introduction • Initial State • Initial Assessment • Define • Control • Monitor • Conclusions

  3. Introduction • New security manager of a global, decentralized hospital • Firewalls and good engineers • No policy • No infrastructure • No governance • No Strategy

  4. Initial State • The initial challenges: • learn enough about the company to define what the business needed to be secure • to create a security program to fulfill this definition • to identify the key corporate IT and business leaders • Meet regulatory compliance deadlines

  5. Initial State, cont.

  6. Initial Assessment

  7. Define

  8. Control • Human Accounts • Service Accounts • Privileged Accounts • Console Access System • Protect Critical Applications And Services • Prevent critical applications or services from being tampered • Enforce Separation Of Duties • Identify and enforce differing access policies for development, QA and production support groups • Use Only Approved Protocols

  9. Monitoring • “In God we trust, all others we monitor” • Monitoring is not just logging • Witman and Mattord (2006) say, “… the ultimate goal of information security is to achieve nothingness.” • In their 2006 Global Security Survey, Deloitte reports that viruses, worms, and spyware/malware were two of the top sources of external breaches • Despite difficulty, monitoring is vital

  10. Conclusions • The author found that: • definition is the most critical task of a security program • much work already done by others that could be utilized but should not be accepted carte blanche just because it was stated to be good • It’s challenging because the business, threat and technology • environments are constantly changing

  11. Conclusions, cont. • Thank you for your time • Questions and feedback are welcome

More Related