ebook img

The CISO journey : life lessons and concepts to accelerate your professional development PDF

317 Pages·2017·6.598 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The CISO journey : life lessons and concepts to accelerate your professional development

The CISO Journey Life Lessons and Concepts to Accelerate Your Professional Development Internal Audit and IT Audit Series Editor: Dan Swanson A Guide to the National Initiative Mastering the Five Tiers for Cybersecurity Education (NICE) of Audit Competency: The Essence of Effective Auditing Cybersecurity Workforce Framework (2.0) Ann Butera Dan Shoemaker, Anne Kohnke, and Ken Sigler ISBN 978-1-4987-3849-1 ISBN 978-1-4987-3996-2 Operational Assessment of IT A Practical Guide to Performing Steve Katzman Fraud Risk Assessments ISBN 978-1-4987-3768-5 Mary Breslin Operational Auditing: Principles and ISBN 978-1-4987-4251-1 Techniques for a Changing World Hernan Murdock Corporate Defense and the Value ISBN 978-1-4987-4639-7 Preservation Imperative: Bulletproof Your Corporate Securing an IT Organization through Governance, Risk Management, and Audit Defense Program Ken E. Sigler and James L. Rainey, III Sean Lyons ISBN 978-1-4987-3731-9 ISBN 978-1-4987-4228-3 Security and Auditing of Smart Devices: Data Analytics for Internal Auditors Managing Proliferation of Richard E. Cascarino Confidential Data on Corporate ISBN 978-1-4987-3714-2 and BYOD Devices Sajay Rai, Philip Chukwuma, and Richard Cozart Fighting Corruption in a Global ISBN 978-1-4987-3883-5 Marketplace: How Culture, Geography, Software Quality Assurance: Language and Economics Impact Audit and Integrating Testing, Security, and Audit Fraud Investigations around the World Abu Sayed Mahfuz Mary Breslin ISBN 978-1-4987-3553-7 ISBN 978-1-4987-3733-3 The CISO Journey: Life Lessons and Concepts to Accelerate Investigations and the CAE: Your Professional Development The Design and Maintenance of an Gene Fredriksen Investigative Function within Internal Audit ISBN 978-1-138-19739-8 Kevin L. Sisemore The Complete Guide to ISBN 978-1-4987-4411-9 Cybersecurity Risks and Controls Internal Audit Practice from A to Z Anne Kohnke, Dan Shoemaker, and Ken E. Sigler Patrick Onwura Nzechukwu ISBN 978-1-4987-4054-8 ISBN 978-1-4987-4205-4 Cognitive Hack: The New Battleground in Leading the Internal Audit Function Cybersecurity ... the Human Mind Lynn Fountain James Bone ISBN 978-1-4987-3042-6 ISBN 978-1-4987-4981-7 The CISO Journey Life Lessons and Concepts to Accelerate Your Professional Development Gene Fredriksen CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2017 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper International Standard Book Number-13: 978-1-138-19739-8 (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apolo- gize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans- mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereaf- ter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright .com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging‑in‑Publication Data Names: Fredriksen, Gene, author. Title: The CISO journey : life lessons and concepts to accelerate your professional development / Gene Fredriksen. Description: Boca Raton, FL : CRC Press, 2017. Identifiers: LCCN 2016043407 | ISBN 9781138197398 (hb : alk. paper) Subjects: LCSH: Chief information officers. | Computer security. | Computer networks--Security measures. | Data protection. Classification: LCC HF5548.37 .F735 2017 | DDC 658.4/78--dc23 LC record available at https://lccn.loc.gov/2016043407 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents List of Figures ................................................................................................xi List of Tables ...............................................................................................xiii Prologue ........................................................................................................xv Foreword ......................................................................................................xix Acknowledgments ........................................................................................xxi Author .......................................................................................................xxiii SeCtion i intRoDUCtion AnD HiStoRY 1 Introduction: The Journey ......................................................................3 2 Learning from History? ..........................................................................5 3 My First CISO Lesson: The Squirrel ......................................................9 The Big Question: How Did I End Up in Info Security? ...........................10 SeCtion ii tHe RULeS AnD inDUStRY DiSCUSSion 4 A Weak Foundation Amplifies Risk .....................................................15 Patching: The Critical Link… ....................................................................19 It’s about More Than Patching ...................................................................21 Patching Myth One ..............................................................................21 Patching Myth Two ..............................................................................22 Patching Myth Three ............................................................................22 Patching Myth Four ..............................................................................22 Scanning Required! ...................................................................................23 Misconception One ...............................................................................23 Misconception Two ...............................................................................24 Misconception Three .............................................................................24 Misconception Four ..............................................................................24 Misconception Five ...............................................................................25 Environment Control ............................................................................26 Tracking IT Assets ................................................................................26 v vi ◾ Contents Risk Management .................................................................................27 Key Questions to Ask ............................................................................33 5 If a Bad Guy Tricks You into Running His Code on Your Computer, It’s Not Your Computer Anymore .......................................39 Worms, Trojans, and Viruses: What’s in a Name? .....................................41 Myth One .............................................................................................41 Myth Two ............................................................................................42 Myth Three ..........................................................................................42 Myth Four.............................................................................................43 Myth Five ..............................................................................................43 Myth Six ..............................................................................................44 Myth Seven ..........................................................................................44 Myth Eight ...........................................................................................45 Myth Nine ............................................................................................45 Myth Ten (and My Personal Favorite) ..................................................46 Attack Types Are Wide-Ranging ..............................................................46 Social Engineering .....................................................................................47 6 There’s Always a Bad Guy Out There Who’s Smarter, More Knowledgeable, or Better-Equipped Than You ...........................49 What about Your People? ...........................................................................56 Plan for the Worst ......................................................................................58 Not All Alerts Should Be Complex ............................................................61 What about Wireless? ................................................................................61 Context-Aware Security .............................................................................63 Suggested Reading ....................................................................................64 7 Know the Enemy, Think Like the Enemy .............................................65 Monitoring What Leaves Your Network Is Just as Important as Monitoring What Comes In: Introducing the “Kill Chain” Methodology ...73 Stack the Deck in Your Favor.....................................................................78 Picking the Right Penetration Test Vendor ................................................79 How Should Penetration Testing Be Applied? ............................................79 Selecting a Vendor .....................................................................................80 8 Know the Business, Not Just the Technology .......................................83 The Role of Risk Management within the Enterprise ................................84 Separation of Duties ..................................................................................86 Is There an Overlap between Legal, Compliance, and Human Resources? ...90 A Model Structure .....................................................................................91 Risk Management/Organizational Management Interaction .....................92 Executive Steering Committee ..............................................................93 Information Security Officer Committee ..............................................93 Contents ◾ vii Information Security Department Staffing ................................................94 The Compliance Arm of the CISO Office .................................................96 Security Operations and Engineering ........................................................96 User Access and Administration ................................................................97 Advice for the New CISO ..........................................................................98 Tying Your Goals and Objectives to Company Goals ..............................101 Conclusion ...............................................................................................102 9 Technology Is Only One-Third of Any Solution .................................103 Let’s Look at Risk Management and the People, Process, and Technology Methodology .................................................................104 Safe Harbor Principles .............................................................................106 Prevent ................................................................................................109 Detect .................................................................................................110 Respond ..............................................................................................110 Recover ...............................................................................................112 10 Every Organization Must Assume Some Risk ....................................115 No Is Seldom the Answer ........................................................................117 Strive for Simplicity .................................................................................120 Risk Planning Is Just as Important as Project Planning ...........................121 Dealing with Internal Audit ....................................................................125 The Work .................................................................................................127 11 When Preparation Meets Opportunity, Excellence Happens ............129 End-User Training and Security Awareness .............................................130 Flashback to High School Memories… ...................................................132 Training Methods ....................................................................................132 New Hire Training ..................................................................................133 Awareness Seminars .................................................................................135 Security Policy .........................................................................................143 Roles and Responsibilities ........................................................................144 Company Board and Executives ..........................................................144 Chief Information Officer ...................................................................145 Information Technology Security Program Manager ..........................145 Managers .............................................................................................145 Users ...................................................................................................146 Formal Training ......................................................................................147 Brown Bag Lunches .................................................................................147 Organizational Newsletters ......................................................................148 Awareness Campaigns ..............................................................................148 Tests and Quizzes ....................................................................................149 Funding the Security Awareness and Training Program ..........................149 Summary .................................................................................................150 viii ◾ Contents 12 There Are Only Two Kinds of Organizations: Those That Know They’ve Been Compromised and Those That Don’t Know Yet ...........155 Loss Types ...............................................................................................158 Consequences of Loss ..............................................................................158 How Can DLP Help? ..............................................................................158 Prevention Approach................................................................................159 PCI DSS Credit Card Guidelines ........................................................159 Guidelines ...........................................................................................160 Credit Card Processing Procedures .....................................................161 Employee Loyalty Is a Factor ...................................................................162 What Can You Do? .................................................................................167 13 In Information Security, Just Like in Life, Evolution Is Always Preferable to Extinction .....................................................................169 Security Strategic Planning ......................................................................171 The Planning Cycle ..................................................................................172 Foundation/Strategy ................................................................................172 Assessment and Measurement ..................................................................172 Key Risk Identification ............................................................................173 Develop the Strategic Plan .......................................................................174 Process Inputs .....................................................................................175 Money, Money, Money… ...................................................................179 Capital Expenditures ......................................................................179 Operational Expenses .....................................................................179 14 A Security Culture Is In Place When Talk Is Replaced with Action .....181 Introduction ............................................................................................181 Training ...................................................................................................183 Basics .......................................................................................................185 Technology ..............................................................................................187 Data Security ...........................................................................................188 Productivity .............................................................................................190 Communication ......................................................................................192 E-mail ......................................................................................................195 Morale .....................................................................................................196 Metrics and Measures ..............................................................................197 Workplace ................................................................................................198 Conclusion ..............................................................................................200 15 NEVER Trust and ALWAYS Verify ....................................................203 Trust Your Vendors: Home Depot ...........................................................207 Nervous about Trusting the Cloud? .........................................................209 Does Your System Encrypt Our Data while They Are Stored on Your Cloud? ...................................................................................210 Contents ◾ ix Does the Provider Have a Disaster Recovery Plan for Your Data? .......210 Don’t Confuse Compliance with Security ...........................................211 Has the Potential Vendor Earned Certifications for Security and Compliance That Can Provide Assurance of Their Capabilities? ...211 What Physical Security Measures Are in Place at the Supplier’s Data Centers? ......................................................................................212 Where Are My Data Being Stored? .....................................................212 Vendor Oversight Program Basics ............................................................213 Internal Trust...........................................................................................213 SeCtion iii SUMMARY 16 My Best Advice for New CISOs ..........................................................221 Talking to the Board ................................................................................223 Appendix A: The Written Information Security Plan .................................225 Appendix B: Talking to the Board ..............................................................241 Appendix C: Establishing an Incident Response Program .........................253 Appendix D: Sample High-Level Risk Assessment Methodology ...............273 Index ...........................................................................................................279

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.