Learning Center
Plans & pricing Sign in
Sign Out

Great Hire


Great Hire document sample

More Info
									How Do You Create a Successful
 Information Security Program?
      Hire a GREAT ISO!!
     Tammy L. Clark, CISSP, CISM, CISA
     Information Security Officer
       Georgia State University
  A Little Background on Me…
• Hired as a consultant to design a security
  program for GSU in April 2000
• Started the program in July 2000
• Began with a strategic 3-5 year plan
• ―Sold‖ the program to campus constituents and
  implemented security solutions that would make
  an immediate impact--the big bang!
• Apathy has changed to empathy on our campus!
Developing an Information Security
• The best approach is a strategic one
• Throwing together various solutions without
  adequate planning may work in the short term,
  but is disastrous in the long term!
• Similar but more granular than the role the CIO
  plays in the overall IT organization—you need a
  CISO to lead your information security program
• The key is selecting the right person and
  empowering them to effect positive changes
  Taking a Strategic View of Things
• START with a 3-5 year strategic security plan, as well as a plan
  outlining the tactical approach that will be taken, and annual project
  plans to project what priorities will be tackled and what resources
  and budget will be necessary each year
• OVER 95% of universities I’ve surveyed over the past 5 years do not
  have a strategic information security plan that details how the
  information security department or function will align itself as an
  enabler of the information technology, business and academic
• PRIORITIZE your needs when it comes to budgeting for information
  security—unless you are one of those entities fortunate enough to
  have millions to spend on security solutions and endeavors, you will
  find it necessary to carefully select the solutions, resources, and
  program initiatives that your university will focus on each year
     Confidentiality, Integrity, and
• The goals of an effective program
  – Develop clear and unambiguous policies, guidelines
    and standards
  – Protect sensitive data
  – Prevent unauthorized intrusions, access, tampering
  – Ensure business continuity and operational efficiency
  – Assess risks, threats and vulnerabilities accurately
  – Detect and remediate security incidents quickly
       People, Processes, and
• Technical solutions without processes are
• Processes without trained and motivated
  people to implement them are useless
• People without training, motivation, or
  understanding can negate the
  effectiveness of technology and processes
    An In-depth and Layered Defense
•   The information security strategic, tactical and annual project plans should
    focus on developing an in-depth and layered approach to integrating
    information security tools into the existing network infrastructure, as well as
    making key decisions about how your university will choose to protect your
    information technology resources
•   For example, at GSU, we’ve chosen to focus on a strategy of IPS and AV at
    the edge of the network, firewalls and ACLs to protect key segments of the
    campus, IPS and AV on desktops and many campus servers, VPN and
    Bluesocket boxes in the wireless areas, and the Perfigo security gateway
    solution to ensure that housing residents’ systems are running specific
    security software we require to grant them network access
•   The tools we are leveraging today started with an overall strategy of
    securing campus hosts rather than deploying a network firewall at the edge,
    and have evolved over time as security solutions have seasoned and added
    new capabilities—we build relationships with the vendors we do business
    with and thoroughly evaluate a new vendor’s technology and their capacity
    to provide continued support and enhancements. We have limited dollars to
    spend and must do so wisely.
       Evangelizing the Masses
• ALL it takes is hackers exploiting a single workstation or
  server that processes sensitive student information or
  stores user credit card info to land your university on the
  6:00 p.m. newscast!
• CONFUSION reigns among many campus users about
  how to protect their workstations from the numerous
  methods employed to install backdoors, IRC bots,
  worms, and spyware—they seek leadership and
  guidance to help prevent these problems.
• THANKS to all the attention garnered by the MyDoom,
  Blaster, Sasser, etc., the university community as a
  whole cares more now about information security than
  ever before!
   Why Committees and IT Staff
 Members Can Assist But Not Lead
• Important to include these constituents in policy, procedural and
  potentially security solutions evaluations—they are well suited to
  assist or provide feedback in these important areas BUT..
• Generally speaking—committees are composed of individuals with
  responsibilities that are not focused around information security;
  therefore, their number one priority is their own job responsibilities,
  not developing and nurturing an information security program, which
  takes a huge amount of care and feeding upfront
• Information technology professionals often lack the business
  management background to tackle program issues from a C-level
  standpoint—additionally, many have built up expertise in one or two
  areas of technology and lack the overall breadth of information
  technology and specific information security experience to tackle the
  challenging role of the ISO
         Why You Need an ISO

• Leadership
• Vision
• Integrity
• Dedication
• Catalyst for change
• Promote the perception of information security as a
  value add
• Negotiate effectively with security solutions vendors to
  procure the best solution for your university at the best
• Evangelize the masses
           Real World Examples
• A university without an ISO charges the network manager to deploy
  some security solutions—since they are a Cisco ―shop,‖ the
  manager buys a number of Cisco’s security tools including some Pix
  firewalls, IDS, and the Cisco Security Agents. A year later, the
  hardware procured is in a storage closet and the CSA’s have not
  been deployed. The manager is of the opinion that this will have to
  wait until necessary funding for training can happen.
• A CIO decides that ―something‖ has to be done about the
  university’s lack of a way to detect or prevent attacks on the network
  and lately, the network has been crippled by Sasser infections, IRC
  bots, P2P distributions and spyware running on university
  workstations. He talks to a firewall vendor and the vendor talks him
  into placing a firewall appliance at the edge of the campus network
  to block all the ―bad‖ stuff. After a couple of days of numerous help
  desk calls and complaints, the firewall is basically configured to
  allow rather than permit most traffic coming in and out of the campus
  What is it Going to Cost You…
• It may actually cost you more to deploy various security solutions
  without a clear and focused strategy or evaluation from a technical,
  risk, and business continuity standpoint than it would to hire an ISO!
• Time and time again, I’ve seen universities buying solutions without
  having a strategic security plan in place, without evaluating these
  tools, without integrating and layering them into the existing network
  infrastructure ONLY to have to replace these solutions or abandon
  them and spend money to buy new ones
• Uncontained RPC worm infections, IRC bots, illegal warez servers,
  given the man hours (in terms of salary dollars for IT staff members)
  that must be spent reinstalling compromised workstations or fixing
  network performance problems caused by denial of service attacks
  and other security related problems are a recovery cost that you
  want to avoid. Hire an ISO and start tackling these problems NOW!
                 Selecting an ISO
• Choose wisely as this position is pivotal to the success of your
  information security program. Look for a wide breadth of information
  technology experience, solid evidence of leadership, project
  management, business management and/or analysis skills and
  training, and (optionally) security certifications.
• HIRE an ISO who can evaluate and deploy numerous types of
  security (IDS/IPS/firewall) solutions. The ISO needs to have the skill
  set to analyze and understand the data culled from various security
  solutions and logs in order to develop effective incident prevention
  and management strategies.
• HIRE an ISO who can write sound policies and procedures,
  communicate effectively with diverse constituent groups, develop
  strategic and project plans, security awareness presentations and
  materials, facilitate and create committees and working groups,
  provide direction and guidance to information technology employees
      Typical Duties of an ISO
• Develop policies and guidelines
• Incident prevention, response and management
• Security awareness
• Security tool selection and deployment
• Security audits and reviews
• Focal point for providing information and
  guidance to the campus about threats and
• Management of key security operational
  systems, such as anti virus, IDS/IPS, firewalls
 Most Effective Reporting Structure
• Although there are ISO’s (including myself) who report to a director
  or manager level information technology staff member, the measure
  of influence that can be gained by being aligned underneath the CIO
  is invaluable
• However, if you are able to get your ―message‖ across to multiple
  constituent groups and build strong alliances on campus with
  information technology staff members, faculty, students, and
  campus leaders in the police, legal affairs, public relations, human
  resources, student information and financial organizations, you can
  also effect positive outcomes and really motivate these
  organizations and people to collaborate with you in ensuring your
  information security program is accomplishing major goals and
  objectives established
• By the way, your ―message‖ needs to address and appeal to the
  issues and needs of each constituent organization or individual that
  you deal with—One message does not fit all!
      What Background is Most
• Harry Shah, CISO of Marsh, a risk and
  insurance services provider, sums it up
  this way: "A CSO has to be a futurist, an
  evangelist, a technology manager, a
  cheerleader, a change agent, a good
  bureaucrat, a very good policy-maker, a
  negotiator and a legal expert. And on a
  good day, he also has to be a security
   Are Certifications Important?
• CISSP – Certified Information Systems Security
• SSCP – Systems Security Certified Practitioner
• CISM – Certified Information Security Manager
• CISA – Certified Information Systems Auditor
• GIAC – Global Information Assurance Certification
• CPP – Certified Protection Professional
• CompTIA Security+ Certification
• Forensics and Ethical Hacking (various)
• Vendor security certifications (ISS, Cisco, etc.)
  Specific and Unique Qualities
• Actively seeks challenges and obstacles to overcome
• Embraces the need to dynamically evolve and stay
  current in knowledge of the technology and information
  security arenas
• Able to think outside the box
• Strong at problem solving, multi-tasking, juggling multiple
  projects and conflicting priorities
• Understands the role technology plays in furthering the
  mission of the academic, business, financial, and
  administrative units and how to integrate and align
  strategic goals and objectives of these areas with those
  in the information security organization
       The ―Ideal‖ Security Staff
• In terms of numbers of dedicated staff, you may find that
  you never have all the resources that you require
• Therefore, it is critical to hire security staff members with
  diverse backgrounds and skill sets that you can leverage
  along with existing information technology staff to
  manage and handle the requirements of various
  programs and initiatives created, such as security
  awareness, incident response, security tool
  implementation and management, policy and procedure
  development, security reviews and audits…
               Wrapping Up…
• A great Information Security Officer can evolve and
  shape your campus information security program into a
  dynamic and effective entity!
• This individual will have a major focus on bringing
  needed attention to campus security problems and
  needs and will effectively promote the information
  security program and seek funding for major initiatives.
• Don’t take a piecemeal and fractured approach—with
  various constituent groups developing policies and other
  groups buying security tools. Hire a leader for your
  program, develop a sound 3-5 year strategy and
  integrate security into the existing framework.

To top