SlideShare ist ein Scribd-Unternehmen logo

Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture

Shahid Shah
Shahid Shah

Security and Regulatory Compliance aren’t the same thing – but they’re often confused. When you’re working in a government, healthcare, or financial environment there’s a tendency to think that if you’re FISMA-compliant or HIPAA-compliant or any other X-compliant that you must have good security. However, sophisticated risk management and real security don’t have much to do with compliance and you can actually great security and be non-compliant with regulatory requirements as well be fully compliant but not secure. This talk, led by Security guru Shahid Shah, will talk about how make sure risk-based security management is properly incorporate into compliance-driven cultures. A recording of this presentation is available at: https://www.brighttalk.com/webcast/288/62133

Technologie
1 von 24
Do’s and Don’ts of Risk-based Security Management in a Compliance-driven Culture Security and Regulatory Compliance aren’t the same thing – but they’re often confused Shahid N. Shah, CEO
NETSPECTIVE Who is Shahid? • 20+ years of architecture, design, software engineering, and information assurance (security) in embedded, desktop, and enterprise environments such as – FISMA-regulated government systems – HIPAA-regulated health IT systems – FDA-regulated medical devices and systems • Have held positions at CTO, Chief Architect, or Senior Engineer in a variety of regulated environments www.netspective.com 2
Compliance vs. Security
NETSPECTIVE Compliance vs. Security is like… Compliance Security www.netspective.com 4
NETSPECTIVE Human Resources Law: Compliance www.netspective.com Order: Security 5
NETSPECTIVE Knowledge Compliance knowledge bases FISMA HIPAA FDA www.netspective.com Security knowledge areas PCI DSS Firewalls Encryption ONC Access Control Pen Testing SOX Continuous Monitoring Packet Analysis 6
NETSPECTIVE States Compliance: Usually Binary www.netspective.com Security: Continuous Risk Management 7
NETSPECTIVE Reality You can be compliant and not secure, secure but not compliant, or both Compliant www.netspective.com Both Secure 8
NETSPECTIVE An example of compliant insecurity It’s easy to check off compliance boxes and still be insecure Compliance Requirement • Encrypt all data at FIPS 140 level Insecure but compliant • Full disk encryption – Encryption keys stored on same disk • SSL encryption – No TLS negotiation or man in the middle monitoring Secure and compliant • Full disk encryption – Disk-independent key management • www.netspective.com TLS encryption – Force SSL  TLS and monitor for MIM threats 9
NETSPECTIVE Why does compliant insecurity occur? Compliance is focused on… • • • • Regulations Meetings & discussions Documentation Artifact completion checklists www.netspective.com Instead of… • Risk management – Probability of attacks – Impact of successful attacks • Threat models – Attack surfaces – Attack vectors 10
Recommendations
NETSPECTIVE Forget compliance Get your security operations in proper order before concentrating on compliance. Start sounding like a broken record, ask “is this about security or compliance?” often. www.netspective.com 12
NETSPECTIVE Consider costs while planning security 100% security is impossible so compliance driven environments must be slowed by cost drivers Source: Olovsson 1992, “A structured approach to computer security” www.netspective.com 13
NETSPECTIVE Don’t rely on perimeter defense Firewalls and encryption aren’t enough www.netspective.com 14
NETSPECTIVE Classify data and assets NIST 800-60 can help you or you can use your own system (e.g. Microsoft) Objective Purpose Low Impact Moderate Impact High Impact Confidentiality Protecting personal privacy and proprietary Information Limited adverse effect from disclosure Serious adverse effect from disclosure Catastrophic effect from disclosure Integrity Guarding against improper information modification or destruction and nonrepudiation Limited adverse effect from unauthorized modification Serious adverse effect from unauthorized modification Catastrophic effect from unauthorized modification Availability Ensuring timely and reliable access to and use of information. Limited adverse effect from service disruption Serious adverse effect from service disruption Catastrophic effect from service disruption www.netspective.com 15
NETSPECTIVE Clearly express business impacts Only evidence-driven business-focused impacts should be considered real threats www.netspective.com 16
NETSPECTIVE Create risk and threat models He will win who, prepared himself, waits to take the enemy unprepared – Sun Tzu Define threats Create minimal documentation that you will keep up to date • Capability, for example: – – Access to the system (how much privilege escalation must occur prior to actualization?) Able to reverse engineer binaries Able to sniff the network – – – Experienced hacker Script kiddie Insiders – – – – Simple manual execution Distributed bot army Well-funded organization Access to private information – • Skill Level, for example: • Resources and Tools, for example: Motivation + Skills and Capabilities tells you what you’re up against and begins to set tone for defenses Source: OWASP .org, Microsoft www.netspective.com 17
NETSPECTIVE Visualize attacks / vulnerabilities www.netspective.com 18
NETSPECTIVE Create an Attack Library • • • • • • • • • • Password Brute Force Buffer Overflow Canonicalization Cross-Site Scripting Cryptanalysis Attack Denial of Service Forceful Browsing Format-String Attacks HTTP Replay Attacks Integer Overflows • • • • • • • • • • LDAP Injection Man-in-the-Middle Network Eavesdropping One-Click/Session Riding/CSRF Repudiation Attack Response Splitting Server-Side Code Injection Session Hijacking SQL Injection XML Injection Source: Microsoft www.netspective.com 19
NETSPECTIVE Collect attack causes and mitigations Define the relationship between • The exploit • The cause • The fix SQL Injection Use of Dynamic SQL Use parameterized SQL Ineffective or missing input validation Validate input Use stored procedure with no dynamic SQL Source: Microsoft www.netspective.com 20
NETSPECTIVE How you know you’re “secure” • Value of assets to be protected is understood • Known threats, their occurrence, and how they will impact the business are cataloged • Kinds of attacks and vulnerabilities have been identified along with estimated costs • Countermeasures associated with attacks and vulnerabilities, along with the cost of mitigation, are understood • Real risk-based decisions drive decisions not security theater www.netspective.com 21
NETSPECTIVE Review security body of knowledge Everyone • • • FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-60 (Security Category Mapping) Security ops and developers • • • NIST Special Publication 800-53 (Recommended Security Controls) Microsoft Patterns & Practices, Security Engineering OWASP Executives and security ops Auditors • NIST Special Publication 800-18 (Security Planning) • NIST Special Publication 800-30 (Risk Management) • www.netspective.com • • NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A Rev 1 (Security Control Assessment) NIST Special Publication 800-37 (Certification & Accreditation) 22
NETSPECTIVE Key Takeaway • If you have good security operations in place then meeting compliance requirements is easier and more straightforward. • Even if you have a great compliance track record, it doesn’t mean that you have real security. www.netspective.com 23
Visit http://www.netspective.com http://www.healthcareguy.com E-mail shahid.shah@netspective.com Follow @ShahidNShah Call 202-713-5409 Thank You

Empfohlen

Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 

Empfohlen

Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationTripwire
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-smallJeff Geissler
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTicTac Data Recovery
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
3D Technologies RD Manchester 2010
3D Technologies RD Manchester 20103D Technologies RD Manchester 2010
3D Technologies RD Manchester 20103D Technologies R&D
 
Sn1049 9 Vh caf
Sn1049 9 Vh cafSn1049 9 Vh caf
Sn1049 9 Vh cafColegio de Ingenieros de Caminos, Canales y Puertos
 

Weitere ähnliche Inhalte

Was ist angesagt?

Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationTripwire
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-smallJeff Geissler
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTicTac Data Recovery
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 

Was ist angesagt? (20)

Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient Organization
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-small
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 

Andere mochten auch

3D Technologies RD Manchester 2010
3D Technologies RD Manchester 20103D Technologies RD Manchester 2010
3D Technologies RD Manchester 20103D Technologies R&D
 
Medication Compliance Tools and Technology
Medication Compliance Tools and Technology Medication Compliance Tools and Technology
Medication Compliance Tools and Technology Software Advice
 
Service oriented architecture (SOA) deserves service oriented data
Service oriented architecture (SOA) deserves service oriented dataService oriented architecture (SOA) deserves service oriented data
Service oriented architecture (SOA) deserves service oriented dataShahid Shah
 
Crusades
CrusadesCrusades
Crusadesrhalter
 
Content Area 2 part ii - Aegean & Ancient Greek Art
Content Area 2 part ii - Aegean & Ancient Greek Art Content Area 2 part ii - Aegean & Ancient Greek Art
Content Area 2 part ii - Aegean & Ancient Greek Art Jackie Valenzuela
 
Adapting project management to suit personal styles
Adapting project management to suit personal stylesAdapting project management to suit personal styles
Adapting project management to suit personal stylesDonnie MacNicol
 
Spatial Autocorrelation
Spatial AutocorrelationSpatial Autocorrelation
Spatial AutocorrelationEhsan Hamzei
 
Zynq MPSoC勉強会 Codec編
Zynq MPSoC勉強会 Codec編Zynq MPSoC勉強会 Codec編
Zynq MPSoC勉強会 Codec編Tetsuya Morizumi
 
FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法
FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法
FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法Kentaro Sano
 
33 Favorite Marketing Books by OnDeck
33 Favorite Marketing Books by OnDeck33 Favorite Marketing Books by OnDeck
33 Favorite Marketing Books by OnDeckOnDeck
 
Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)
Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)
Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)Carlos Rangel
 
YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...
YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...
YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...Year of the X
 
快樂學華文
快樂學華文快樂學華文
快樂學華文Tzu Wang
 
Navidad 2015 - Susurra el Viento (por: carlitosrangel)
Navidad 2015 - Susurra el Viento (por: carlitosrangel)Navidad 2015 - Susurra el Viento (por: carlitosrangel)
Navidad 2015 - Susurra el Viento (por: carlitosrangel)Carlos Rangel
 
Chapters 4 6
Chapters 4 6Chapters 4 6
Chapters 4 6rhalter
 
El Reconstructor de los Tiempos (por: carlitosrangel)
El Reconstructor de los Tiempos (por: carlitosrangel)El Reconstructor de los Tiempos (por: carlitosrangel)
El Reconstructor de los Tiempos (por: carlitosrangel)Carlos Rangel
 

Andere mochten auch (19)

3D Technologies RD Manchester 2010
3D Technologies RD Manchester 20103D Technologies RD Manchester 2010
3D Technologies RD Manchester 2010
 
Sn1049 9 Vh caf
Sn1049 9 Vh cafSn1049 9 Vh caf
Sn1049 9 Vh caf
 
Medication Compliance Tools and Technology
Medication Compliance Tools and Technology Medication Compliance Tools and Technology
Medication Compliance Tools and Technology
 
Service oriented architecture (SOA) deserves service oriented data
Service oriented architecture (SOA) deserves service oriented dataService oriented architecture (SOA) deserves service oriented data
Service oriented architecture (SOA) deserves service oriented data
 
Crusades
CrusadesCrusades
Crusades
 
Content Area 2 part ii - Aegean & Ancient Greek Art
Content Area 2 part ii - Aegean & Ancient Greek Art Content Area 2 part ii - Aegean & Ancient Greek Art
Content Area 2 part ii - Aegean & Ancient Greek Art
 
Adapting project management to suit personal styles
Adapting project management to suit personal stylesAdapting project management to suit personal styles
Adapting project management to suit personal styles
 
Spatial Autocorrelation
Spatial AutocorrelationSpatial Autocorrelation
Spatial Autocorrelation
 
Zynq MPSoC勉強会 Codec編
Zynq MPSoC勉強会 Codec編Zynq MPSoC勉強会 Codec編
Zynq MPSoC勉強会 Codec編
 
Hls friends 20161122.key
Hls friends 20161122.keyHls friends 20161122.key
Hls friends 20161122.key
 
FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法
FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法
FPGAによる津波シミュレーション -- GPUを超える高性能計算の手法
 
33 Favorite Marketing Books by OnDeck
33 Favorite Marketing Books by OnDeck33 Favorite Marketing Books by OnDeck
33 Favorite Marketing Books by OnDeck
 
Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)
Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)
Gibran Khalil Gibran – Poemas y Pensamientos (por: carlitosrangel)
 
YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...
YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...
YOTG Hamburg - Christiane Brandes-Visbeck - Talk to the Goat: Generation Futu...
 
快樂學華文
快樂學華文快樂學華文
快樂學華文
 
Navidad 2015 - Susurra el Viento (por: carlitosrangel)
Navidad 2015 - Susurra el Viento (por: carlitosrangel)Navidad 2015 - Susurra el Viento (por: carlitosrangel)
Navidad 2015 - Susurra el Viento (por: carlitosrangel)
 
Chapters 4 6
Chapters 4 6Chapters 4 6
Chapters 4 6
 
El Reconstructor de los Tiempos (por: carlitosrangel)
El Reconstructor de los Tiempos (por: carlitosrangel)El Reconstructor de los Tiempos (por: carlitosrangel)
El Reconstructor de los Tiempos (por: carlitosrangel)
 
A-Recruiter-Tag 2012 Vorabworkshop
A-Recruiter-Tag 2012 VorabworkshopA-Recruiter-Tag 2012 Vorabworkshop
A-Recruiter-Tag 2012 Vorabworkshop
 

Ähnlich wie Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the CloudAlert Logic
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 

Ähnlich wie Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture (20)

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 

Mehr von Shahid Shah

Demand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsDemand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsShahid Shah
 
The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector Shahid Shah
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItShahid Shah
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...Shahid Shah
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Shahid Shah
 
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...Shahid Shah
 
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...Shahid Shah
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Shahid Shah
 
Connected medical devices
Connected medical devicesConnected medical devices
Connected medical devicesShahid Shah
 
Healthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference KeynoteHealthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference KeynoteShahid Shah
 
How to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductHow to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductShahid Shah
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
 
Guaranteeing successful EHR implementations
Guaranteeing successful EHR implementationsGuaranteeing successful EHR implementations
Guaranteeing successful EHR implementationsShahid Shah
 
The EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales ProfessionalsThe EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales ProfessionalsShahid Shah
 
How Wireless Networks Empower Patients
How Wireless Networks Empower PatientsHow Wireless Networks Empower Patients
How Wireless Networks Empower PatientsShahid Shah
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Shahid Shah
 
Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itShahid Shah
 
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...Shahid Shah
 
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Shahid Shah
 
OSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewOSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewShahid Shah
 

Mehr von Shahid Shah (20)

Demand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsDemand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRs
 
The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
 
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
 
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...
 
Connected medical devices
Connected medical devicesConnected medical devices
Connected medical devices
 
Healthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference KeynoteHealthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference Keynote
 
How to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductHow to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media Product
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
 
Guaranteeing successful EHR implementations
Guaranteeing successful EHR implementationsGuaranteeing successful EHR implementations
Guaranteeing successful EHR implementations
 
The EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales ProfessionalsThe EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales Professionals
 
How Wireless Networks Empower Patients
How Wireless Networks Empower PatientsHow Wireless Networks Empower Patients
How Wireless Networks Empower Patients
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...
 
Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about it
 
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
 
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
 
OSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewOSEHRA and VistA Platform Overview
OSEHRA and VistA Platform Overview
 

Kürzlich hochgeladen

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Kürzlich hochgeladen (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture

  • 1. Do’s and Don’ts of Risk-based Security Management in a Compliance-driven Culture Security and Regulatory Compliance aren’t the same thing – but they’re often confused Shahid N. Shah, CEO
  • 2. NETSPECTIVE Who is Shahid? • 20+ years of architecture, design, software engineering, and information assurance (security) in embedded, desktop, and enterprise environments such as – FISMA-regulated government systems – HIPAA-regulated health IT systems – FDA-regulated medical devices and systems • Have held positions at CTO, Chief Architect, or Senior Engineer in a variety of regulated environments www.netspective.com 2
  • 4. NETSPECTIVE Compliance vs. Security is like… Compliance Security www.netspective.com 4
  • 6. NETSPECTIVE Knowledge Compliance knowledge bases FISMA HIPAA FDA www.netspective.com Security knowledge areas PCI DSS Firewalls Encryption ONC Access Control Pen Testing SOX Continuous Monitoring Packet Analysis 6
  • 8. NETSPECTIVE Reality You can be compliant and not secure, secure but not compliant, or both Compliant www.netspective.com Both Secure 8
  • 9. NETSPECTIVE An example of compliant insecurity It’s easy to check off compliance boxes and still be insecure Compliance Requirement • Encrypt all data at FIPS 140 level Insecure but compliant • Full disk encryption – Encryption keys stored on same disk • SSL encryption – No TLS negotiation or man in the middle monitoring Secure and compliant • Full disk encryption – Disk-independent key management • www.netspective.com TLS encryption – Force SSL  TLS and monitor for MIM threats 9
  • 10. NETSPECTIVE Why does compliant insecurity occur? Compliance is focused on… • • • • Regulations Meetings & discussions Documentation Artifact completion checklists www.netspective.com Instead of… • Risk management – Probability of attacks – Impact of successful attacks • Threat models – Attack surfaces – Attack vectors 10
  • 12. NETSPECTIVE Forget compliance Get your security operations in proper order before concentrating on compliance. Start sounding like a broken record, ask “is this about security or compliance?” often. www.netspective.com 12
  • 13. NETSPECTIVE Consider costs while planning security 100% security is impossible so compliance driven environments must be slowed by cost drivers Source: Olovsson 1992, “A structured approach to computer security” www.netspective.com 13
  • 14. NETSPECTIVE Don’t rely on perimeter defense Firewalls and encryption aren’t enough www.netspective.com 14
  • 15. NETSPECTIVE Classify data and assets NIST 800-60 can help you or you can use your own system (e.g. Microsoft) Objective Purpose Low Impact Moderate Impact High Impact Confidentiality Protecting personal privacy and proprietary Information Limited adverse effect from disclosure Serious adverse effect from disclosure Catastrophic effect from disclosure Integrity Guarding against improper information modification or destruction and nonrepudiation Limited adverse effect from unauthorized modification Serious adverse effect from unauthorized modification Catastrophic effect from unauthorized modification Availability Ensuring timely and reliable access to and use of information. Limited adverse effect from service disruption Serious adverse effect from service disruption Catastrophic effect from service disruption www.netspective.com 15
  • 16. NETSPECTIVE Clearly express business impacts Only evidence-driven business-focused impacts should be considered real threats www.netspective.com 16
  • 17. NETSPECTIVE Create risk and threat models He will win who, prepared himself, waits to take the enemy unprepared – Sun Tzu Define threats Create minimal documentation that you will keep up to date • Capability, for example: – – Access to the system (how much privilege escalation must occur prior to actualization?) Able to reverse engineer binaries Able to sniff the network – – – Experienced hacker Script kiddie Insiders – – – – Simple manual execution Distributed bot army Well-funded organization Access to private information – • Skill Level, for example: • Resources and Tools, for example: Motivation + Skills and Capabilities tells you what you’re up against and begins to set tone for defenses Source: OWASP .org, Microsoft www.netspective.com 17
  • 18. NETSPECTIVE Visualize attacks / vulnerabilities www.netspective.com 18
  • 19. NETSPECTIVE Create an Attack Library • • • • • • • • • • Password Brute Force Buffer Overflow Canonicalization Cross-Site Scripting Cryptanalysis Attack Denial of Service Forceful Browsing Format-String Attacks HTTP Replay Attacks Integer Overflows • • • • • • • • • • LDAP Injection Man-in-the-Middle Network Eavesdropping One-Click/Session Riding/CSRF Repudiation Attack Response Splitting Server-Side Code Injection Session Hijacking SQL Injection XML Injection Source: Microsoft www.netspective.com 19
  • 20. NETSPECTIVE Collect attack causes and mitigations Define the relationship between • The exploit • The cause • The fix SQL Injection Use of Dynamic SQL Use parameterized SQL Ineffective or missing input validation Validate input Use stored procedure with no dynamic SQL Source: Microsoft www.netspective.com 20
  • 21. NETSPECTIVE How you know you’re “secure” • Value of assets to be protected is understood • Known threats, their occurrence, and how they will impact the business are cataloged • Kinds of attacks and vulnerabilities have been identified along with estimated costs • Countermeasures associated with attacks and vulnerabilities, along with the cost of mitigation, are understood • Real risk-based decisions drive decisions not security theater www.netspective.com 21
  • 22. NETSPECTIVE Review security body of knowledge Everyone • • • FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-60 (Security Category Mapping) Security ops and developers • • • NIST Special Publication 800-53 (Recommended Security Controls) Microsoft Patterns & Practices, Security Engineering OWASP Executives and security ops Auditors • NIST Special Publication 800-18 (Security Planning) • NIST Special Publication 800-30 (Risk Management) • www.netspective.com • • NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A Rev 1 (Security Control Assessment) NIST Special Publication 800-37 (Certification & Accreditation) 22
  • 23. NETSPECTIVE Key Takeaway • If you have good security operations in place then meeting compliance requirements is easier and more straightforward. • Even if you have a great compliance track record, it doesn’t mean that you have real security. www.netspective.com 23