Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
Protecting the Crown Jewels – Enlist the Beefeaters
1. Are you a Beefeater?
Title Layout
GET FOCUSED ON
PROTECTING YOUR
CROWN JEWELS
2. Introduction “Solving Problems, is my Passion”
I defend my companies competitive
advantage by helping solve business
problems through technology to
work faster and safer.
Who is Jack Nichelson?
Global Information Security Manager at large manufacturing company
15 years of experience in IT Security & Risk Management
Active in the security community (DefCon, ShmooCon, DerbyCon)
Teach Network Security and advise the Baldwin Wallace CCDC team
3. Problem Statement “No More Borders”
Most security failures can be traced back to failures
of decision making and not failures of technology.
Key Challenges:
A need for information everywhere and on everything.
What is a Crown Jewel, where is it, who needs it, and how is it
protected?
Traditional classification policies and handling guidelines have failed
and are not consistently applied or used for decision making.
The culture inside the organization is not ready to do anything about
sensitive data.
Vendor Management is not part of the Data Classification process.
“For too long, compliance has tested physical assets and ignored
the thing that matters most” - Chris Nickerson
4. Beefeaters
“Change of the Guard”
Once you have the basics covered, it time to start
focusing on protecting your most imported data.
Who better to protect your Crown Jewels than the Beefeaters?
Tap into the iconic London Guard’s reputation, to develop an elite
force to defend your organization’s most valuable assets from
even trusted insiders.
Empower the Data Handlers and
hold the Data Owners responsible
Data Governance…A Team Effort,
But An Individual Responsibility!
5. Solution Approach “Security Spending is out of Balance”
The Power of Three:
FBI – Counterintelligence for Corporate America
Establish a new mental model in leadership about the threats
PWC – Data Governance
Data Classification Criteria, Ranking & Inventory of Data
Elements
SANS – 20 Critical Controls
Align Security Controls with Key Threats to Data Elements
Big increase in IT security
spending - Gartner
Time to stop the unfocused spending on security and find
the right balance of people, process & technology.
6. Counterintelligence “Lead through Awareness”
Mission is to protect the company’s classified & proprietary
technologies from theft & protect its most valuable asset –
It’s People.
Essential Elements of a Counterintelligence Program:
Create an organization-wide Data Privacy & CI Steering Committee
Recognition of the Insider & Foreign threat potential
Internal and external partnerships embedded within the company at
key decision points
Integration of CI and Information Technology
Security & CI Awareness program & communication channel
7. Data Governance
The first step in protecting your data is knowing
its value, so you have a reason to find it.
Data Classification Process:
Gather & Assess Data Elements
“Can't protect what you don’t understand”
o Conduct detailed working sessions to identify & define sensitive data
o Define levels of confidentiality (Public, Internal, Confidential, Restricted)
o Identify data elements, applications, data flows, and create data inventory
Weight & Heat Map Data Elements
o Assign weighting to identified data elements
o Ensure operational activities are aligned with classification
o Create heat map across each functional area of data classifications and risks
o Get management agreement of classification scoring & threats of data loss
8. Security Framework “Focusing your Resources”
The 20 Critical Security Controls focus on prioritizing security
on “What Works” for immediate high-value action.
Guiding Principles:
Start from thinking you have been breached and work backwards
Defenses should focus on most common & damaging attacks
Ensure consistent controls are applied for the right level of impact
Defenses should be automated, measured, and audited
Measurements & metrics that everyone agrees on
“Don’t prioritize too many priorities” – James Tarala
9. Defining Your Critical Data
How to get started:
Process Framework:
DEFINE your critical data assets
DISCOVER critical data security environment
BASELINE critical data security processes and controls
SECURE critical data
MONITOR with proper governance and metrics
Key Steps to Get Started:
Define what is your critical data & how to score it
Define your Data Classification Criteria & Ranking
Create an Inventory of your Data Elements
Establish Process & Control’s to protect your data
10. 10
Information Security Maturity Plan
Milestone Accomplishments
Monthly Security Awareness Training
Patching most systems within 15 days
Removed Java from 85% of workstations
Hard Drive Encryption for Laptops
Web Security with Egress Filtering
Network perimeter-Monitored Firewalls
Minimum Security Baselines
Achieved basic security compliance
Achieved basic blocking & tackling security
12. 12
Classification Criteria
CATEGORY DESCRIPTION
SAMPLE
DOCUMENTS/RECORDS
MARKING REPRODUCTION DISTRIBUTION STORAGE
DESTRUCTION/
DISPOSAL
Public Information that can
be publicly disclosed.
Marketing materials authorized for
public release such as advertisements,
brochures, published financial reports,
Internet Web pages, catalogues,
external public presentations and
technical publications
None, except
copyright notice if
applicable
Unlimited Not restricted Not restricted Recycling/trash
Internal
Information whose
unauthorized
disclosure outside the
organization would be
inappropriate and
inconvenient.
Intranet web pages, internal contact
information, newsletters, certain
corporate policies and procedures,
town hall presentations, benefit
options, postings on internal bulletin
boards, internal SDS databases
None required, but
can be marked "FOR
INTERNAL
DISTRIBUTION
ONLY" if needed
Unrestricted internally Internal distribution only Not restricted
Paper: shred, Electronic: erase or
degauss magnetic media. Send
CDs, DVDs, dead hard drives,
laptops, printers etc. to IT for
appropriate disposal
Confidential
Information that will
have a moderate*
negative material
impact on the
organization. This
information will
negatively impact the
organization if
disclosed.
*Less than $**
million loss
Best Practices, job manuals, R&D
technical documents, QA information
including test data, Idea Records,
engineering drawings and
documentation, PLC programs, certain
agreements, customer lists, cost
information, personal identifiable
information, personal health
information
Company
CONFIDENTIAL, ljk
CONFIDENTIAL,
;ldkfj;ljd
CONFIDENTIAL
(Company
CONFIDENTIAL is the
umbrella statement
for data can be shared
between companies;
sdfsdf and sdf
Confidential is for the
given businesses).
Marking is mandatory
on first page.
Only for legitimate business
purposes and to limited
audience. Secure print only.
Internal: Distribute to a
limited audience to those
who need to know. Link to
document if possible when
emailing. Limit printing.
External: Need appropriate
agreement in place or by
manager approval only.
Encrypted network file share,
encrypted USB (company
owned), no local storage on
hard drive, no storage on
personal devices or personal
email. Paper confidential
documents must be stored
under lock and key when not
in use.
Paper: shred, Electronic: erase or
degauss magnetic media. Send
CDs, DVDs, dead hard drives,
laptops, printers etc. to IT for
appropriate disposal
Restricted
Information that will
have a significant*
negative material
impact on the
organization and can
provide significant
third party personal or
competitive financial
gain.
*Greater than $**
million loss
Restricted information includes export
controlled data, ITAR controlled data,
lkjhlk Customer Confidential,
sakjhalskfjh Supplier Confidential
information, communications marked
attorney-client priviledge, and M&A
information. Information deemed as
"crown jewels" by the business team.
Company
RESTRICTED, FMI
RESTRICTED,
SEADRIFT
RESTRICTED.
Marking is manditory
on all pages for all
documents. May
require additional
marking (i.e., export
controlled, Seadrift
Customer
Confidential, etc)
depending on type of
data.
None, except with the
permission of the Business
Segnment President, the VP
of R&D, or Business
Segment Director of
Intellectual Property and all
copies are tracked.
Defined distribution list
approved by the Business
Segnment President, the VP
of R&D, or Business
Segment Director of
Intellectual Property. No
further distribution allowed.
Encrypted network file share,
no local storage on hard drive,
no storage on personal
devices or personal email.
Paper restriced documents
must be stored under lock and
key when not in use. All
restricted data must have
encryption at rest and in
motion requiring two factor
authenication. Full audit trail
required.
Paper: shred, Electronic:
physically destroy magnetic
media. Send CDs, DVDs, dead
hard drives, laptops, printers etc.
to IT for appropriate disposal
13. IMPACT Impact Description Potential loss earnings/cash flow
5 Catastrophic / Major If this risk were to materialize, Company would find it difficult to recover. Over $25,000,000
4 Significant The consequences of the risk materializing can be managed to some extent. $5,000,000 - $25,000,000
3 Moderate The consequences of the risk materializing are not severe and can be managed. $1,000,000 - $5,000,000
2 Low The consequences of the risk materializing are considered relatively unimportant. $100,000 - $1,000,000
1 Negligible No consequences of this risk materializing are detectable. less than $100,000
13
Classification Scoring
LIKELIHOOD Description Frequency of events
5 Expected (occurs often) At least once a month
4 Probable (known to occur) Once every six months
3 Possible (known to occur occasionally) Once a year
2 Unusual (has occurred somewhere) Once every 3-5 years
1 Remote (could happen, but unlikely) Less than once in 5 yrs
CONTROLS Description
5 There is no formal or informal control associated with the risk. This includes uncontrollable risks.
4 Controls do not provide reasonable assurance that a risk will be detected consistently or timely. Controls of this type are informal and are
insufficient to prevent or mitigate the risk effectively.
3 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this
type are formal, but highly manual. Risk mitigation is implemented in a “reactionary” manner.
2 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this
type are formalized, and tested on a regular basis. Controls of this type are rated as “best practices”.
1 Controls in place provide assurance with the highest level of certainty that a risk will be detected or prevented consistently and timely. These
controls are highly formalized, automated and tested on a regular basis. Controls of this type are rated as “exceeding best practices”.
15. Summary “There's a reason why technology should be the last step”
Time to stop the unfocused spending on security
and find the right balance of people, process &
technology.
Stop waiting for others and Start today:
People – Counterintelligence Awareness Training
Empower the Data Handlers and hold the Data Owners responsible
Process – Facilitated Discussions
Build a consensus of Data Classification Criteria, Ranking & Inventory of
Data Elements
Technology – Align Security Controls with Key Threats
Implement Security Controls Commensurate with Data Element Scoring
“Good security is not something you have, it’s something you do” – Wendy Nather
16. What Questions are there?
Jack Nichelson
E-mail: Jack@Nichelson.net
Twitter: @Jack0Lope
Hinweis der Redaktion
What do you do and not your job title?
My Value Proposition “What I do and How I do it” statement
I defend my companies competitive advantage by helping you solve business problems through technology so you can work faster and safer.
OLD:
My job is to transform Information Security into a competitive advantage for Company. By solving business problems through technology to boost profits and reduce costs.
Think like you have been hacked and you have to explain to your CEO why this was not protected by basic security.
Mobile, social, cloud and big data, each a disruptive force, together change everything related to protecting systems and information.
Many organizations are not aware of what their Crown Jewel information is, where it resides, who has access to it, or how it is protected.
Operationalize Data governance, bring it back into the hand of the data handlers
You always hear that the first step in protecting your data is knowing where it is but I would argue that its value.