SlideShare ist ein Scribd-Unternehmen logo

Information Security Best Practices: Keeping Your Company's Data Safe

Resolver Inc.
Resolver Inc.

As a cloud-first software vendor, you trust us to manage your critical data. Protecting it is job zero. How do we do it? Attend this session to learn the details of Resolver’s Information Security Program and learn some practices you can apply to your organization.

Software
1 von 23
Downloaden Sie, um offline zu lesen
Information Security Best Practices: Keeping Your Company’s Data Safe
Hello! I am James Patterson COO & CISO, Resolver james@resolver.com Your Photo Here!
Information Security Confidentiality Integrity Availability
Principle Least Privilege • Every module (process, user, program, environment) must be able to only access the information and resources that are necessary for its legitimate purpose • Start from nothing, only add what is needed
Defense in Depth Use of all available security mechanisms in the different aspects of the application deployment infrastructure to minimise potential attack vectors by creating multiple layers of protection in case one mechanism fails.
Layer Cake • BCP & DR • Monitoring • Procedures • Automation • Policies • Penetration Testing • Third Party Validation • Corporate Environment • People • Technical Controls • Network • OS • Application • Data Storage and Access • Physical Security
Corporate Environment • Security Culture • Tone at the Top • Trusted Guardian of Your Data • Transparency • Risk Assessment • Documentation • Investment
People Security Roles Job Descriptions Hiring Decisions (background checks) Onboarding/ Offboarding (least privilege) Ongoing security training
Security Architecture Principles ▪ Segmented Environments ▪ Server Isolation ▪ Least Privilege ▪ Private Network for Server Management ▪ Minimal public surface area ▪ AWS Managed Services Wherever Possible ▪ MFA and Credential Complexity
Technical Controls - Network ▪ ALB (Application Load Balancer) or Nginx secure reverse proxy ▪ CloudFront for Content Distribution, DDOS attacks ▪ AWS Shield (WAF) ▪ EC2 Security Groups (AWS Firewall) ▪ IAM Users and Roles ▪ Transport Encryption ▪ Private Management Subnet through MFA Enabled VPN
Technical Controls - Operating System ▪ Server Hardening ▪ Anti-virus ▪ Anti-malware ▪ Intrusion detection systems – AlienVault and AWS GuardDuty ▪ Monthly Patch Management ▪ Critical patches analyzed for applicability within 48 hours
Technical Controls - Application ▪ Security by Design ▪ Access and Authorization checked at every level ▪ Resolver Application Level Authentication control ▪ Resolver as identity provider ▪ Single Sign On ▪ Role and Data Based Authorization Control
Encryption at Rest Data Segregation Access Review High Availability and Durability Access Controls • Least privilege • Encrypted credentials Data Storage and Access
Physical Security - AWS ▪ Site selection ▪ AWS employee access only ▪ Access logs ▪ Access review ▪ CCTV and MFA access
• AWS Regions and Availability Zones • Regular Backups with Validation • Monthly Testing • Auto Scale and Self Healing Business Continuity Planning & Disaster Recovery
Monitoring ▪ AWS Cloud Watch – Log Aggregation preservation ▪ Cloud Trail – AWS Account Config Changes ▪ Application Audit Trail ▪ Alien Vault – SIEM, HIDS ▪ Site 24x7 – External availability ▪ Pager Duty – Notification ▪ Nessus – Vulnerability Scanning ▪ Guard Duty – Machine Learning SIEM
Standard Operating Procedures ▪ Disaster Recovery ▪ Change Management ▪ Incident Management ▪ Monthly Maintenance ▪ Vulnerability Management ▪ Other SOPs ▪ Common operations (onboard & offboard customers)
▪ Faster ▪ Removes human error ▪ Scripting for common tasks ▪ New customer ▪ Resolver Core environment deploy ▪ Cattle, not pets ▪ Replace servers with secure versions ▪ No need to remote into containers Automation
Policies ▪ InfoSec Policy ▪ Change Control ▪ Hiring Process ▪ Termination Process ▪ Security Assessment Process ▪ Incident Management Policy ▪ Security Awareness Training Policy ▪ Server Capacity Policy ▪ Server Hardening Policy ▪ Data Classification ▪ Password Policy ▪ Cryptography Policy ▪ Patch Management Policy ▪ Remote Access Policy
Penetration Testing ▪ Annual ▪ Third Party ▪ Black box, authenticated, comprehensive ▪ OWASP ▪ Top 10 ▪ Application Security Verification Standard ▪ Data segregation ▪ Application logic
Third Party Validation
Thanks! Any questions? james@resolver.com

Empfohlen

Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
Resolver Inc.
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
Resolver Inc.
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
Resolver Inc.
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
Resolver Inc.
 
An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management Application
Resolver Inc.
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
Resolver Inc.
 
Bay Dynamics
Bay DynamicsBay Dynamics
Bay Dynamics
Meg Vorland
 

Empfohlen

Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
Resolver Inc.
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
Resolver Inc.
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
Resolver Inc.
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
Resolver Inc.
 
An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management Application
Resolver Inc.
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
Resolver Inc.
 
Bay Dynamics
Bay DynamicsBay Dynamics
Bay Dynamics
Meg Vorland
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
Endeavor Management
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-program
Charles Steve
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Resolver Inc.
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Jim Dean Marketing One Pager
Jim Dean Marketing One PagerJim Dean Marketing One Pager
Jim Dean Marketing One Pager
James Dean
 
'Re-writing' Infrastructure management
'Re-writing' Infrastructure management'Re-writing' Infrastructure management
'Re-writing' Infrastructure management
Movate
 
2 ppt final dan shoemaker dd1 stockholm presentation
2 ppt final dan shoemaker dd1 stockholm presentation2 ppt final dan shoemaker dd1 stockholm presentation
2 ppt final dan shoemaker dd1 stockholm presentation
GlobalForum
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
JTLeekley
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Priyanka Aash
 
Risk Assessment And Management
Risk Assessment And ManagementRisk Assessment And Management
Risk Assessment And Management
vikasraina
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
Ahmed Sayed-
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Integrated Risk Management
Integrated Risk ManagementIntegrated Risk Management
Integrated Risk Management
Omicron Systems
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 

Weitere ähnliche Inhalte

Was ist angesagt?

Jim Dean Marketing One Pager
Jim Dean Marketing One PagerJim Dean Marketing One Pager
Jim Dean Marketing One Pager
James Dean
 
2 ppt final dan shoemaker dd1 stockholm presentation
2 ppt final dan shoemaker dd1 stockholm presentation2 ppt final dan shoemaker dd1 stockholm presentation
2 ppt final dan shoemaker dd1 stockholm presentation
GlobalForum
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 

Was ist angesagt? (20)

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-program
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
 
Jim Dean Marketing One Pager
Jim Dean Marketing One PagerJim Dean Marketing One Pager
Jim Dean Marketing One Pager
 
'Re-writing' Infrastructure management
'Re-writing' Infrastructure management'Re-writing' Infrastructure management
'Re-writing' Infrastructure management
 
2 ppt final dan shoemaker dd1 stockholm presentation
2 ppt final dan shoemaker dd1 stockholm presentation2 ppt final dan shoemaker dd1 stockholm presentation
2 ppt final dan shoemaker dd1 stockholm presentation
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
 
Risk Assessment And Management
Risk Assessment And ManagementRisk Assessment And Management
Risk Assessment And Management
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Integrated Risk Management
Integrated Risk ManagementIntegrated Risk Management
Integrated Risk Management
 

Ähnlich wie Information Security Best Practices: Keeping Your Company's Data Safe

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_format
MULTIMATICS_ID
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend Micro
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend MicroAWS April Webianr Series - How Willbros Builds Securely in AWS with Trend Micro
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend Micro
Amazon Web Services
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
Perforce
 

Ähnlich wie Information Security Best Practices: Keeping Your Company's Data Safe (20)

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
Boot camp - Migration to AWS
Boot camp - Migration to AWSBoot camp - Migration to AWS
Boot camp - Migration to AWS
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_format
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend Micro
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend MicroAWS April Webianr Series - How Willbros Builds Securely in AWS with Trend Micro
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend Micro
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS Cloud
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
 

Mehr von Resolver Inc.

How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
Resolver Inc.
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Resolver Inc.
 

Mehr von Resolver Inc. (20)

How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Terrorism in a Corporate Setting
Terrorism in a Corporate SettingTerrorism in a Corporate Setting
Terrorism in a Corporate Setting
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
 
Modelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreModelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver Core
 
How Resolver Uses Resolver
How Resolver Uses ResolverHow Resolver Uses Resolver
How Resolver Uses Resolver
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyA Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management Strategy
 
An Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationAn Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience Application
 
How to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceHow to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business Resilience
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data Clean
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 
Leveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramLeveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM Program
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will Anderson
 
Risk Intelligence: Threats are the New Risk
Risk Intelligence: Threats are the New RiskRisk Intelligence: Threats are the New Risk
Risk Intelligence: Threats are the New Risk
 
How to Use Storytelling to Communicate with Executives
How to Use Storytelling to Communicate with ExecutivesHow to Use Storytelling to Communicate with Executives
How to Use Storytelling to Communicate with Executives
 
Planning a move from Perspective to CORE
Planning a move from Perspective to COREPlanning a move from Perspective to CORE
Planning a move from Perspective to CORE
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
 

Kürzlich hochgeladen

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 

Kürzlich hochgeladen (20)

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 

Information Security Best Practices: Keeping Your Company's Data Safe

  • 1. Information Security Best Practices: Keeping Your Company’s Data Safe
  • 2.
  • 3. Hello! I am James Patterson COO & CISO, Resolver james@resolver.com Your Photo Here!
  • 5. Principle Least Privilege • Every module (process, user, program, environment) must be able to only access the information and resources that are necessary for its legitimate purpose • Start from nothing, only add what is needed
  • 6. Defense in Depth Use of all available security mechanisms in the different aspects of the application deployment infrastructure to minimise potential attack vectors by creating multiple layers of protection in case one mechanism fails.
  • 7. Layer Cake • BCP & DR • Monitoring • Procedures • Automation • Policies • Penetration Testing • Third Party Validation • Corporate Environment • People • Technical Controls • Network • OS • Application • Data Storage and Access • Physical Security
  • 8. Corporate Environment • Security Culture • Tone at the Top • Trusted Guardian of Your Data • Transparency • Risk Assessment • Documentation • Investment
  • 10. Security Architecture Principles ▪ Segmented Environments ▪ Server Isolation ▪ Least Privilege ▪ Private Network for Server Management ▪ Minimal public surface area ▪ AWS Managed Services Wherever Possible ▪ MFA and Credential Complexity
  • 11. Technical Controls - Network ▪ ALB (Application Load Balancer) or Nginx secure reverse proxy ▪ CloudFront for Content Distribution, DDOS attacks ▪ AWS Shield (WAF) ▪ EC2 Security Groups (AWS Firewall) ▪ IAM Users and Roles ▪ Transport Encryption ▪ Private Management Subnet through MFA Enabled VPN
  • 12. Technical Controls - Operating System ▪ Server Hardening ▪ Anti-virus ▪ Anti-malware ▪ Intrusion detection systems – AlienVault and AWS GuardDuty ▪ Monthly Patch Management ▪ Critical patches analyzed for applicability within 48 hours
  • 13. Technical Controls - Application ▪ Security by Design ▪ Access and Authorization checked at every level ▪ Resolver Application Level Authentication control ▪ Resolver as identity provider ▪ Single Sign On ▪ Role and Data Based Authorization Control
  • 15. Physical Security - AWS ▪ Site selection ▪ AWS employee access only ▪ Access logs ▪ Access review ▪ CCTV and MFA access
  • 16. • AWS Regions and Availability Zones • Regular Backups with Validation • Monthly Testing • Auto Scale and Self Healing Business Continuity Planning & Disaster Recovery
  • 17. Monitoring ▪ AWS Cloud Watch – Log Aggregation preservation ▪ Cloud Trail – AWS Account Config Changes ▪ Application Audit Trail ▪ Alien Vault – SIEM, HIDS ▪ Site 24x7 – External availability ▪ Pager Duty – Notification ▪ Nessus – Vulnerability Scanning ▪ Guard Duty – Machine Learning SIEM
  • 18. Standard Operating Procedures ▪ Disaster Recovery ▪ Change Management ▪ Incident Management ▪ Monthly Maintenance ▪ Vulnerability Management ▪ Other SOPs ▪ Common operations (onboard & offboard customers)
  • 19. ▪ Faster ▪ Removes human error ▪ Scripting for common tasks ▪ New customer ▪ Resolver Core environment deploy ▪ Cattle, not pets ▪ Replace servers with secure versions ▪ No need to remote into containers Automation
  • 20. Policies ▪ InfoSec Policy ▪ Change Control ▪ Hiring Process ▪ Termination Process ▪ Security Assessment Process ▪ Incident Management Policy ▪ Security Awareness Training Policy ▪ Server Capacity Policy ▪ Server Hardening Policy ▪ Data Classification ▪ Password Policy ▪ Cryptography Policy ▪ Patch Management Policy ▪ Remote Access Policy
  • 21. Penetration Testing ▪ Annual ▪ Third Party ▪ Black box, authenticated, comprehensive ▪ OWASP ▪ Top 10 ▪ Application Security Verification Standard ▪ Data segregation ▪ Application logic