Protecting the Crown Jewels – Enlist the Beefeaters

Are you a Beefeater?
Title Layout
GET FOCUSED ON
PROTECTING YOUR
CROWN JEWELS

Introduction “Solving Problems, is my Passion”
I defend my companies competitive
advantage by helping solve business
problems through technology to
work faster and safer.
Who is Jack Nichelson?
 Global Information Security Manager at large manufacturing company
 15 years of experience in IT Security & Risk Management
 Active in the security community (DefCon, ShmooCon, DerbyCon)
 Teach Network Security and advise the Baldwin Wallace CCDC team

Problem Statement “No More Borders”
Most security failures can be traced back to failures
of decision making and not failures of technology.
Key Challenges:
 A need for information everywhere and on everything.
 What is a Crown Jewel, where is it, who needs it, and how is it
protected?
 Traditional classification policies and handling guidelines have failed
and are not consistently applied or used for decision making.
 The culture inside the organization is not ready to do anything about
sensitive data.
 Vendor Management is not part of the Data Classification process.
“For too long, compliance has tested physical assets and ignored
the thing that matters most” - Chris Nickerson

Beefeaters
“Change of the Guard”
Once you have the basics covered, it time to start
focusing on protecting your most imported data.
Who better to protect your Crown Jewels than the Beefeaters?
Tap into the iconic London Guard’s reputation, to develop an elite
force to defend your organization’s most valuable assets from
even trusted insiders.
Empower the Data Handlers and
hold the Data Owners responsible
Data Governance…A Team Effort,
But An Individual Responsibility!

Solution Approach “Security Spending is out of Balance”
The Power of Three:
 FBI – Counterintelligence for Corporate America
 Establish a new mental model in leadership about the threats
 PWC – Data Governance
 Data Classification Criteria, Ranking & Inventory of Data
Elements
 SANS – 20 Critical Controls
 Align Security Controls with Key Threats to Data Elements
Big increase in IT security
spending - Gartner
Time to stop the unfocused spending on security and find
the right balance of people, process & technology.

Counterintelligence “Lead through Awareness”
Mission is to protect the company’s classified & proprietary
technologies from theft & protect its most valuable asset –
It’s People.
Essential Elements of a Counterintelligence Program:
 Create an organization-wide Data Privacy & CI Steering Committee
 Recognition of the Insider & Foreign threat potential
 Internal and external partnerships embedded within the company at
key decision points
 Integration of CI and Information Technology
 Security & CI Awareness program & communication channel

Data Governance
The first step in protecting your data is knowing
its value, so you have a reason to find it.
Data Classification Process:
Gather & Assess Data Elements
“Can't protect what you don’t understand”
o Conduct detailed working sessions to identify & define sensitive data
o Define levels of confidentiality (Public, Internal, Confidential, Restricted)
o Identify data elements, applications, data flows, and create data inventory
Weight & Heat Map Data Elements
o Assign weighting to identified data elements
o Ensure operational activities are aligned with classification
o Create heat map across each functional area of data classifications and risks
o Get management agreement of classification scoring & threats of data loss

Security Framework “Focusing your Resources”
The 20 Critical Security Controls focus on prioritizing security
on “What Works” for immediate high-value action.
Guiding Principles:
 Start from thinking you have been breached and work backwards
 Defenses should focus on most common & damaging attacks
 Ensure consistent controls are applied for the right level of impact
 Defenses should be automated, measured, and audited
 Measurements & metrics that everyone agrees on
“Don’t prioritize too many priorities” – James Tarala

Defining Your Critical Data
How to get started:
Process Framework:
 DEFINE your critical data assets
 DISCOVER critical data security environment
 BASELINE critical data security processes and controls
 SECURE critical data
 MONITOR with proper governance and metrics
Key Steps to Get Started:
 Define what is your critical data & how to score it
 Define your Data Classification Criteria & Ranking
 Create an Inventory of your Data Elements
 Establish Process & Control’s to protect your data

10
Information Security Maturity Plan
Milestone Accomplishments
Monthly Security Awareness Training
 Patching most systems within 15 days
Removed Java from 85% of workstations
Hard Drive Encryption for Laptops
Web Security with Egress Filtering
Network perimeter-Monitored Firewalls
Minimum Security Baselines
Achieved basic security compliance
Achieved basic blocking & tackling security

12
Classification Criteria
CATEGORY DESCRIPTION
SAMPLE
DOCUMENTS/RECORDS
MARKING REPRODUCTION DISTRIBUTION STORAGE
DESTRUCTION/
DISPOSAL
Public Information that can
be publicly disclosed.
Marketing materials authorized for
public release such as advertisements,
brochures, published financial reports,
Internet Web pages, catalogues,
external public presentations and
technical publications
None, except
copyright notice if
applicable
Unlimited Not restricted Not restricted Recycling/trash
Internal
Information whose
unauthorized
disclosure outside the
organization would be
inappropriate and
inconvenient.
Intranet web pages, internal contact
information, newsletters, certain
corporate policies and procedures,
town hall presentations, benefit
options, postings on internal bulletin
boards, internal SDS databases
None required, but
can be marked "FOR
INTERNAL
DISTRIBUTION
ONLY" if needed
Unrestricted internally Internal distribution only Not restricted
Paper: shred, Electronic: erase or
degauss magnetic media. Send
CDs, DVDs, dead hard drives,
laptops, printers etc. to IT for
appropriate disposal
Confidential
Information that will
have a moderate*
negative material
impact on the
organization. This
information will
negatively impact the
organization if
disclosed.
*Less than $**
million loss
Best Practices, job manuals, R&D
technical documents, QA information
including test data, Idea Records,
engineering drawings and
documentation, PLC programs, certain
agreements, customer lists, cost
information, personal identifiable
information, personal health
information
Company
CONFIDENTIAL, ljk
CONFIDENTIAL,
;ldkfj;ljd
CONFIDENTIAL
(Company
CONFIDENTIAL is the
umbrella statement
for data can be shared
between companies;
sdfsdf and sdf
Confidential is for the
given businesses).
Marking is mandatory
on first page.
Only for legitimate business
purposes and to limited
audience. Secure print only.
Internal: Distribute to a
limited audience to those
who need to know. Link to
document if possible when
emailing. Limit printing.
External: Need appropriate
agreement in place or by
manager approval only.
Encrypted network file share,
encrypted USB (company
owned), no local storage on
hard drive, no storage on
personal devices or personal
email. Paper confidential
documents must be stored
under lock and key when not
in use.
Paper: shred, Electronic: erase or
degauss magnetic media. Send
CDs, DVDs, dead hard drives,
laptops, printers etc. to IT for
appropriate disposal
Restricted
Information that will
have a significant*
negative material
impact on the
organization and can
provide significant
third party personal or
competitive financial
gain.
*Greater than $**
million loss
Restricted information includes export
controlled data, ITAR controlled data,
lkjhlk Customer Confidential,
sakjhalskfjh Supplier Confidential
information, communications marked
attorney-client priviledge, and M&A
information. Information deemed as
"crown jewels" by the business team.
Company
RESTRICTED, FMI
RESTRICTED,
SEADRIFT
RESTRICTED.
Marking is manditory
on all pages for all
documents. May
require additional
marking (i.e., export
controlled, Seadrift
Customer
Confidential, etc)
depending on type of
data.
None, except with the
permission of the Business
Segnment President, the VP
of R&D, or Business
Segment Director of
Intellectual Property and all
copies are tracked.
Defined distribution list
approved by the Business
Segnment President, the VP
of R&D, or Business
Segment Director of
Intellectual Property. No
further distribution allowed.
Encrypted network file share,
no local storage on hard drive,
no storage on personal
devices or personal email.
Paper restriced documents
must be stored under lock and
key when not in use. All
restricted data must have
encryption at rest and in
motion requiring two factor
authenication. Full audit trail
required.
Paper: shred, Electronic:
physically destroy magnetic
media. Send CDs, DVDs, dead
hard drives, laptops, printers etc.
to IT for appropriate disposal

IMPACT Impact Description Potential loss earnings/cash flow
5 Catastrophic / Major If this risk were to materialize, Company would find it difficult to recover. Over $25,000,000
4 Significant The consequences of the risk materializing can be managed to some extent. $5,000,000 - $25,000,000
3 Moderate The consequences of the risk materializing are not severe and can be managed. $1,000,000 - $5,000,000
2 Low The consequences of the risk materializing are considered relatively unimportant. $100,000 - $1,000,000
1 Negligible No consequences of this risk materializing are detectable. less than $100,000
13
Classification Scoring
LIKELIHOOD Description Frequency of events
5 Expected (occurs often) At least once a month
4 Probable (known to occur) Once every six months
3 Possible (known to occur occasionally) Once a year
2 Unusual (has occurred somewhere) Once every 3-5 years
1 Remote (could happen, but unlikely) Less than once in 5 yrs
CONTROLS Description
5 There is no formal or informal control associated with the risk. This includes uncontrollable risks.
4 Controls do not provide reasonable assurance that a risk will be detected consistently or timely. Controls of this type are informal and are
insufficient to prevent or mitigate the risk effectively.
3 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this
type are formal, but highly manual. Risk mitigation is implemented in a “reactionary” manner.
2 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this
type are formalized, and tested on a regular basis. Controls of this type are rated as “best practices”.
1 Controls in place provide assurance with the highest level of certainty that a risk will be detected or prevented consistently and timely. These
controls are highly formalized, automated and tested on a regular basis. Controls of this type are rated as “exceeding best practices”.

Inventory of Data Elements
14

Summary “There's a reason why technology should be the last step”
Time to stop the unfocused spending on security
and find the right balance of people, process &
technology.
Stop waiting for others and Start today:
 People – Counterintelligence Awareness Training
 Empower the Data Handlers and hold the Data Owners responsible
 Process – Facilitated Discussions
 Build a consensus of Data Classification Criteria, Ranking & Inventory of
Data Elements
Technology – Align Security Controls with Key Threats
 Implement Security Controls Commensurate with Data Element Scoring
“Good security is not something you have, it’s something you do” – Wendy Nather

What Questions are there?
Jack Nichelson
E-mail: Jack@Nichelson.net
Twitter: @Jack0Lope

Protecting the Crown Jewels – Enlist the Beefeaters

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Protecting the Crown Jewels – Enlist the Beefeaters

Ähnlich wie Protecting the Crown Jewels – Enlist the Beefeaters (20)

Mehr von Jack Nichelson

Mehr von Jack Nichelson (11)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Protecting the Crown Jewels – Enlist the Beefeaters

Hinweis der Redaktion