This presentation was delivered to by FRSecure's Evan Francen to the Uniforum User's Group on November 8th, 2012. There were more than 50 bankers in attendance, and the presentation was very well received.
Information security challenges in today’s banking environment
1. Information Security Challenges
in Today’s Banking Environment
Uniforum – November 8, 2012
Presented by Evan Francen, President – FRSecure, LLC
http://www.frsecure.com | 952-467-6384
2. Introduction
Thank you for attending!
Thank you to Uniforum for inviting us!
http://www.frsecure.com | 952-467-6384
3. Introduction
Before we get started:
• This is not your typical presentation.
• What you have to say is as important as what I am
going to tell you.
• You are encouraged to participate!
I will ask you questions, if you don’t ask me some!
http://www.frsecure.com | 952-467-6384
4. Introduction
FRSecure
• Information security consulting company – it’s all
we do.
• Established in 2008 by people who have earned
their stripes in the field.
• We help small to medium sized organizations
solve information security challenges.
http://www.frsecure.com | 952-467-6384
5. Introduction
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
http://www.frsecure.com | 952-467-6384
6. Introduction
Topics
• What drives information security in your organization?
• What is information security?
• Compliance vs. Risk
• Current Threats vs. Future Threats
• Current Regulations vs. Future Regulations
• Solution - Strategic Information Security
• Top Five Things You Should Master (Tactically & Strategically)
• Need Help? – Contact Us!
http://www.frsecure.com | 952-467-6384
7. What drives information security
at your organization?
This is a question for you?
http://www.frsecure.com | 952-467-6384
8. Maybe our explanation of
information security would help…
In your opinion/words, what is
information security?
http://www.frsecure.com | 952-467-6384
9. Information Security Is Not an IT Issue
The application of Administrative, Physical and Technical controls in an effort
to protect the Confidentiality, Integrity, and Availability of Information.
IT-centric information security over-emphasizes Technical Control, often at
the expense of Administrative and Physical Control.
IT-centric information security also places an over-emphasis on Availability of
systems, sometimes at the expense of Confidentiality and Integrity.
http://www.frsecure.com | 952-467-6384
11. Back to our question; what drives information
security at your organization?
Compliance vs. Risk
• Information security is not one size fits all
• Who knows your organization better?
• Checklists only work as well as the checklist
• Motivation. You’re in business to make money. Right?
• Strategy. What is the examiner going to ask vs. what are our risks?
Really, there is only one good answer.
http://www.frsecure.com | 952-467-6384
12. Back to our question; what drives information
security at your organization?
Compliance vs. Risk - Compliance
• Do you have a firewall? Check.
• Do you have an acceptable use policy? Check.
• Do you encrypt the data on your internal network? No?! Well
you need to encrypt the data on your internal network.
• Do you have filtered network segmentation on your internal
LAN? No?! You need to install firewalls between network
segments.
http://www.frsecure.com | 952-467-6384
13. Back to our question; what drives information
security at your organization?
Compliance vs. Risk - Risk
• You have a firewall. How well does your firewall provide value? Is the
firewall effective in controlling access and reducing risk? Is the firewall
adequately managed and monitored?
• How does our use of our firewall align with our business objectives?
• What is the risk in how the firewall is currently designed, implemented,
and managed?
• How can we take what we’ve learned about our use of the firewall and
plan for the future of our business?
http://www.frsecure.com | 952-467-6384
14. Compliance vs. Risk
In summary:
Compliance based information security does not
lend itself well to strategy, alignment, or cost-
effectiveness.
http://www.frsecure.com | 952-467-6384
15. Current Threats vs. Future Threats
Hopefully, we know what challenges we face today.
How do we determine with any certainty, what threats we face
in the future?
• Pay attention to the news.
• Subscribe to security-related publications.
• Continue to participate in user groups.
Good Resources; http://www.bankinfosecurity.com/,
http://krebsonsecurity.com/, http://isc.sans.edu/, Uniforum, and others.
http://www.frsecure.com | 952-467-6384
16. Current Threats vs. Future Threats
Hopefully, we know what challenges we face today.
What should be plan for?
• Risk management, not compliance management
• People are the biggest risk, spend on training & awareness
• More regulatory pressure
• Detective and corrective controls – Plan to be breached.
http://www.frsecure.com | 952-467-6384
17. Current Regulations vs. Future Regulations
Can we all agree that regulatory pressure will not
decrease?
• Prepare for additional pressure and more intrusive audits/examinations.
• Prepare for more regulation.
• Letter of the law vs. Intent of the law
http://www.frsecure.com | 952-467-6384
18. Solution – A strategic approach to information
security
Principles of strategic information security:
• Alignment with business objectives
• It’s all about people – culture
• Management involvement
• Proactive vs. Reactive
• Forward-looking
• Formal
OWN IT!
http://www.frsecure.com | 952-467-6384
19. Top Five Things for You Should Master
#1 – Risk Management
• Where are your most significant risks?
• What risk is the highest (priority)?
• How will we justify our existence (expenditures)?
• How do we measure what we’re doing?
http://www.frsecure.com | 952-467-6384
20. Top Five Things for You Should Master
#2 – Documented Policies & Procedures
• Policies are one tool we use to set culture.
• What is management’s view?
• Nobody reads policy; no offense.
• People are the biggest risk.
• Policies set direction and governance
http://www.frsecure.com | 952-467-6384
21. Top Five Things for You Should Master
#3 – Patch Management and Malicious Code Controls
• Together, not one in lieu of the other
• Might be a pain, but it’s worth it (trust me)
• This is the song that never ends…
http://www.frsecure.com | 952-467-6384
22. Top Five Things You Should Master
#4 – Training & Awareness
• How do users know what to do if you don’t tell them?
• Remember culture?
http://www.frsecure.com | 952-467-6384
23. Top Five Things for You Should Master
#5 – Incident Response
http://www.frsecure.com | 952-467-6384
24. DON’T FORGET
Sometimes information security professionals forget
these facts!
• Not all risks require mitigation/remediation
• Information security must be strategic
• Information security strategy must align with business strategy
• Avoid business vs. information security scenarios
• Information security controls should be as transparent as possible
http://www.frsecure.com | 952-467-6384
25. Top Five Things for You Should Master
BONUS
Mobile Device Security
• Data doesn’t stay home anymore
• How do you protect data on mobile devices?
http://www.frsecure.com | 952-467-6384
26. How we help – Risk Assessment
http://www.frsecure.com | 952-467-6384
27. How we help – Risk Management (Build &
Manage)
http://www.frsecure.com | 952-467-6384