Designing & Building a Cybersecurity Program
Based on the NIST Cybersecurity Framework (CSF)
Larry Wilson
Lesson 1
June, 2015
1
About the Class
This course covers the essential elements for planning, building and managing a cybersecurity program
Lesson 1 – The Controls Factory
 The Fundamentals
 Understanding the Risks
 The Controls Factory
 The Cybersecurity Programs
 The Vision
Lesson 2 – Controls Factory Components
 The Threat Office
 The Controls Office
 The Technology Center
 The Operations Center
 The Testing Center
 The Program Office
 The GRC Office
Lesson 3 - Building the Program
 Step 1: Establish Goals, Objectives, Approach, Deliverables
 Step 2: Get Management Support
 Step 3: Establish Budget, Resources, Scope, Funding, Timeline
 Step 4: Establish Program, Asset, Controls Roadmap
 Step 5: Select Controls, Technologies, Services
 Step 6: Build Master Plan and Program Mapping
 Step 7: Prioritize Deliverables
 Step 8: Conduct Program, Asset, Controls Review
 Step 9: Establish Program, Asset, Controls Risk Dashboard
 Step 10: Program Summary: End to End Security
Lesson 4: Case Study: The South Carolina DOR Data Breach
 Part 1: The State Government Information Security Initiative
 Part 2: The Mandiant Report
 Part 3: The Deloitte Initial Report
 Part 4: The Deloitte Interim Report
 Part 5: The Deloitte Final Report
2
About the Instructor
Larry Wilson, Information Security Lead - University of Massachusetts
Design, build, manage UMASS Written Information Security Program (WISP)
 Based on industry standard controls: ISO 27002, Council on Cybersecurity, NIST Cybersecurity Framework
 Implemented consistently across all university campuses
Prior to UMASS
 Vice President, Network Security Engineering Manager at State Street - I designed their program
 IT Audit Manager for Deloitte working on the MasterCard account – I assessed their program
Education and Certifications
 MS in Structural Engineering from University of New Hampshire.
 Industry certifications include PE, CISSP, CISA and PCI ISA
Develop and Deliver Training Classes
 Secure World Expo (Building a Cybersecurity Program)
 ISACA New England (CISA certification training)
Executive Recognition (2013)
 ISE Executive Award Finalist – Northeast Region, North America
 SANS Person Who Made a Difference in Cybersecurity
UMASS Security Program Recognition (2013, 2014)
 ISE Project Award Winner – North America
 SANS 20 Critical Controls Poster - Featured Program
3
Lesson 1: The Controls Factory
Part 1: The Fundamentals
 Data is the New Oil
 Data is Everywhere
 The Key Business Challenges
 The Key Technology Challenges
 The High Risk of Data Breaches
 The Challenge to Our executives
 The Response: Need to be Proactive
Part 2: Understanding the Risks
 The Risk Equation
 What are you Trying to Protect?
 What are you Afraid of Happening?
 How Could the Threat Occur?
 What is Currently Reducing the Risk?
 What is the Impact to the Business?
 How Likely is the Threat given the Controls?
Part 3: The NIST Framework
 The Framework Core
 The Framework Profile
 The Framework Implementation Tiers
 Cyber Resilience Review
 Who’s Using the Framework
Part 4: The Controls Factory
 The Problem Statement
 The Solution Approach
 Protecting the Assets
 The Factory Offices / Centers
Part 5: The Cybersecurity Programs
 P1: The Infrastructure Security Program
 P2: The Application Security Program
 P3: The Data Governance Program
 P4: The Identity Governance Program
 P5: The Critical Assets Program
Part 6: The Vision / Next Steps
 Where We Were - Yesterday
 Where We Are - Today
 Where We’re Going - Tomorrow
 2015 Cybersecurity Predictions
 Building an Effective Program
4
Part 1: The Fundamentals
Why doesn’t everyone have a BRICK House?
Did everyone NOT read the 3 little Pigs?
5
Data is the New Oil
6
Data is Everywhere
Growing attack surface
Mobile applications
Consumerization of IT
Privileged accounts
Public, private, hybrid cloud …
Internet of Things….…
7
The Key Business Challenges
8
The Key Technology Challenges
9
The Threat Situation
Threat Actors
Continuing serious cyber attacks on information systems, large and
small; targeting key federal, state, local, and private sector
operations and assets ….
 Attacks are organized, disciplined, aggressive, and well resourced; many are
extremely sophisticated
 Adversaries are nation states, terrorist groups, criminals, hackers, and
individuals or groups with intentions of compromising your information
systems
 Effective deployment of malicious software causing significant exfiltration
of sensitive information (including intellectual property) and potential for
disruption of critical information systems / services.
-- Dr. Ron Ross
NIST, Computer Security Division
Information Technology Laboratory
10
The Cyber Threat Landscape
11
The Possible Consequences
Cyber Attacks Could Put Humans and Infrastructure at Risk
12
How Data Breaches Occur
13
The Carbanak Attack
14
The Dyre Wolf Attack
15
The Target Attack
16
Global State of Information Security Survey 2015
Key findings and trends (PWC)
17
The Challenge:
To Corporate and Government Leaders ….
Where does your business stand on basic cybersecurity hygiene?
There is a global awakening among non technologists
 That we are vulnerable in cyberspace
 We are not organized well to protect ourselves
 We suffer from a “fog of more” ……
 More standards, more checklists, more devices, more technology, more things …
Jane Holl Lute
Council on Cybersecurity
Served as Deputy Secretary for
Homeland Security from April,
2009 to April 2013
Our Executives need to ask five basic questions
 Do we know what’s connected to our systems and networks?
 Do we know what’s running or trying to run on our systems and networks?
 Are we limiting the number of people with administrative privileges to change, bypass or override
the security setting?
 Do we have continuous processes backed by security technologies that allow us to prevent most
breaches, rapidly detect all that do succeed and minimize damage to our business and
customers?
 Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?
Because ….
 Having these basic safeguards in place will prevent 80% to 90% of the known attacks
18
The Response:
We Need to be Proactive ….
Manage our Risks
 Understand and establish a well developed risk management model
 Apply controls to our assets
 Because every security incident starts with a compromised asset
Manage our Assets
 Inventory, prioritize, categorize (by type and value), safeguard
 Lifecycle Management (provision, de-provision, discover, manage
changes, reconciliation, monitor & alert
Manage our Programs
 Understand the essential building blocks
 And how they relate
Alignment and Transparency
 Are we on the same page?
 Are we learning and improving?
 Are we testing and measuring?
 Are we maturing our program over time?
19
We have executive attention …..
So now what?
20
Part 2: Understanding the Risks
21
The Risk Equation
Threats
Risk
=
X
Vulnerabilities
X
Asset
Value
+
Residual Risk
Controls
How do we calculate risk?
 Risk is based on the likelihood and impact of a cyber-security incident or data breach
 Threats involve the potential attack against IT resources and information assets
 Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat
 Asset Value is based on criticality of IT resources and information assets
 Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities
 Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets + missing controls
22
Assets: What are you trying to protect?
What are the assets?
How are the Assets Managed?
Where are the Assets?
Which Assets are Critical?
23
Threats: What are you afraid of happening?
What are the threats?
How have the threats changed?
Where are the threats?
How are attacks staged?
24
Vulnerabilities: How could the threat occur?
What is a vulnerability?
How are the Vulnerabilities Managed?
What are the Vulnerabilities?
How are vulnerabilities remediated?
25
Mitigation: What is currently reducing the risk?
What is a controls framework?
What is a control?
How are controls measured?
What are the controls types?
MGT-01
MGT-02
TEC-01
TEC-02
TEC-03
TEC-04
MGT-03
MGT-04
MGT-05
MGT-06
TEC-05
TEC-06
TEC-07
TEC-08
MGT-07
MGT-08
OPS-01
OPS-02
OPS-03
OPS-04
OPS-05
OPS-06
OPS-07
OPS-08
TEC-09
TEC-11
OPS-09
OPS-10
OPS-11
OPS-12
TEC-10
TEC-12
OPS-13
OPS-14
OPS-15
OPS-16
OPS-17
OPS-18
OPS-19
OPS-20
MGT-09
MGT-10
TEC-13
TEC-14
TEC-15
TEC-16
MGT-11
MGT-12
MGT-13
MGT-14
TEC-17
TEC-18
TEC-19
TEC-20
MGT-15
MGT-16
Critical Assets
26
Impact: What is the impact to the business?
27
Probability: How likely is the threat given the controls?
28
Cybersecurity Approach
Cybersecurity Risk & Consulting Services
EY’s Cyber Program Management (CPM) Framework
KPMG Cyber Security Framework
Deloitte Cyber Risk Services: Secure. Vigilant. Resilient
PWC Cybersecurity Services
29
Cybersecurity Approach
Cybersecurity Technology Providers
HP Cybersecurity Framework
Cisco Cybersecurity Framework
EMC/RSA Cybersecurity Framework
Oracle Security Approach
30
Cybersecurity Approach
Managed Security Services Providers (MSSPs)
Symantec Security Solutions
IBM Managed Security Services
Dell Secureworks
AT&T Security Services
31
Part 3: The NIST Cybersecurity Framework
32
Part 3: The NIST Cybersecurity Framework
33
The NIST Cybersecurity Framework
34
The NIST Cybersecurity Framework
35
The NIST Cybersecurity Framework
Cybersecurity Program Steps
The Cybersecurity Resilience Approach
Step 1: Prioritize and Scope.
Step 2: Orient.
Step 3: Create a Current Profile.
Step 4: Conduct a Risk Assessment.
Step 5: Create a Target Profile.
Step 6: Determine, Analyze, and Prioritize Gaps.
Step 7: Implement Action Plan.
36
The NIST Cybersecurity Framework
NIST Definition of cyber resilience
“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to
withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”
37
DHS Cyber Resilience Review – Areas of Focus
1 Asset Management - The purpose of Asset Management is to identify, document, and manage assets during their life cycle to ensure sustained
productivity to support critical
2 Controls Management - The purpose of Controls Management is to identify, analyze, and manage controls in a critical service’s operating
environment.
3 Configuration and Change Management - The purpose of Configuration and Change Management is to establish processes to ensure the integrity
of assets using change control and change control audits.
4 Vulnerability Management - The purpose of Vulnerability Management is to identify, analyze, and manage vulnerabilities in a critical service’s
operating environment.
5 Incident Management - The purpose of Incident Management is to establish processes to identify and analyze events, detect incidents, and
determine an organizational response.
6 Service Continuity Management - The purpose of Service Continuity Management is to ensure the continuity of essential operations of services
and their associated assets if a disruption occurs as a result of an incident, disaster, or other disruptive event.
7 Risk Management - The purpose of Risk Management is to identify, analyze, and mitigate risks to critical service assets that could adversely affect
the operation and delivery of services.
8 External Dependencies Management - The purpose of External Dependencies Management is to establish processes to manage an appropriate
level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities.
9 Training and Awareness - The purpose of training and awareness is to promote awareness in and develop skills and knowledge of people in
support of their roles in attaining and sustaining operational sustainment and protection.
10 Situational Awareness - The purpose of Situational Awareness is to actively discover and analyze information related to immediate operational
stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a
common operating picture.
38
The NIST Cybersecurity Framework
The Framework Benefits
39
Fact Sheet
White House Summit on Cybersecurity and Consumer Protection - February 13, 2015
The following corporations are announced a commitment to using the NIST Cybersecurity Framework.
 Intel is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract.
 Apple is incorporating the Framework as part of the broader security protocols across its corporate networks.
 Bank of America will announce that it is using the Framework and will also require it of its vendors.
 U.S. Bank and Pacific Gas & Electric are announcing that they are committed to using the Framework.
 AIG is starting to incorporate the NIST framework into how it underwrites cyber insurance for large, medium-sized, and small
businesses and will use the framework to help customers identify gaps in their approach to cybersecurity.
 QVC is announcing that it is using the Cybersecurity Framework in its risk management.
 Walgreens is announcing its support for the Cybersecurity Framework and that it uses it as one of its tools for identifying and
measuring risk.
 Kaiser Permanente is committing to use the Framework.
40
Part 3: The Controls Factory
41
The Problem Statement
Our Unmanaged Assets ARE NOT protected
Our unmanaged assets
 There are undetected problems – not seen, not reported
 Our unmanaged assets become easy targets
 Which lead to a breach from missing or ineffective controls
Our Managed Assets ARE protected
Our managed assets
 We need to understand why security breaches occur
 And the steps to take to prevent them
 And build a portfolio of managed assets
42
The Solution Approach
The Controls Factory
4
3
Exit
5
Enter
2
Managed
Assets
Unmanaged
Assets
6
7
1
1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain
2. Controls : Framework, Types, Standards
3. Technologies: Architecture, Design, Build & Run
4. Operations: Approach, Design, Build & Run
5. Testing : Threat Model, Controls Testing, Operations Testing
6. Programs: Approach, Design, Build & Run
7. GRC: Governance, Risk Management, Compliance
43
The Solution Approach
Cybersecurity Delivery Life Cycle (CSDLC)
The Controls Factory
Enter
Unmanaged
Assets
1. Requirements
2. Design
3. Implementation
4. Operations
5. Verification
6. Program
Management
Exit
7. Risk
Management
1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain
2. Controls : Framework, Types, Standards
3. Technologies: Architecture, Design, Build & Run
4. Operations: Approach, Design, Build & Run
5. Testing : Threat Model, Controls Testing, Operations Testing
6. Programs: Approach, Design, Build & Run
7. GRC: Governance, Risk Management, Compliance
Managed
Assets
44
The Controls Factory
The Current Profile
(Before the Factory)
The Target Profile
(After the Factory)
Build & Run Area
Design Area
Threats,
Vulnerabilities,
IOCs
Controls
Definition
Technology
Architecture
Cybersecurity
Operations
Center
Threat
Modeling
The WISP
Organizational
Model
Threat
Intelligence
Controls
Framework
Technology
Design
Security
Administration
Center
Controls &
Technology
Testing
Program
Deliverables
Assurance &
Audit
The Cyber
Attack Chain
Controls
Standards
Technology
Build & Run
Resilience,
Response,
Forensics
Operations &
Incident
Testing
Program
Roadmap
Compliance
Initiatives
F1
F2
F3
F4
F5
F6
Threat
Office
Control
Office
Operations
Center
Testing
Center
Output
Input
Unmanaged
Assets
Management Area
Technology
Center
Program
Office
Managed
Assets
F7
GRC
Office
45
F1: The Threat Office
Threats & Vulnerabilities
The Cyber Attack Chain
Threat Sharing
Mapping Attacks to Assets
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
Asset
Inventory
46
F2: The Controls Office
The NIST Cybersecurity Framework
The Controls Types
NIST
Cybersecurity
Framework
The Controls Standards
Mapping Controls to Assets
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
Asset
Inventory
47
F3: The Technology Center
Technology Architecture
Technology Build & Run
Technology Design
Mapping Cybersecurity Technology to Assets
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
Asset
Inventory
48
F4: The Operations Center
Cybersecurity Operations Center (CSOC)
Resilience, Response and Forensics
Cybersecurity Administration Center
Mapping Cybersecurity Operations to Assets
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
Asset
Inventory
49
F5: The Testing Center
Threat Modeling
Controls Testing
Assets
Controls
The C 3 Test Analyzer
Endpoints
COBIT 5.0
Identify
ISO 27001
Network
20 CSC
Protect
Systems
IEC 62443
Databases
NIST 800-53
Detect
BSIMM V5
Applications
PCI DSS
Identities
Respond
HIPAA
Data
201 CMR 17
Crown Jewels
Operations Testing
Recover
Mapping Testing / QA to Assets
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
Asset
Inventory
50
F6: The PMO Office
Program Management Principles
Program Tracking and Reporting Dashboard
Program Management Methodology
Mapping Cybersecurity Programs to Assets
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
Asset
Inventory
51
F7: The GRC Office
GRC Principles
GRC Tracking & Reporting Dashboard
GRC Methodology
Mapping Cybersecurity Governance to Assets
Asset
Inventory
Endpoint
Devices
Network
Devices
Data Center
Systems
Databases &
File Shares
Applications &
Programs
Identity & Access
Governance
Data
Governance
Crown
Jewels
52
Part 4: The Cybersecurity Programs
53
The Program Model
Threat
Office
Controls
Office
Technology
Center
Operations
Center
PMO
Office
Testing
Center
P5
Crown Jewels Program (Deliverables: Managed Critical Assets)
P4
Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements)
GRC
Office
Input
Unmanaged
Assets
Output
Data Governance Program (Deliverables: Managed Information)
P3
Managed
Assets
P2
Application Security Program (Deliverables: Managed Applications)
P1
Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases)
Attack
Models
Controls
Design
Technology
Build & Run
Operations
Build & Run
Testing
Build & Run
Programs
Build & Run
Risk
Reporting
54
P1: The Infrastructure Program
2. The Controls
1. The Assets
3. The Solutions
5. The Testing
4. The Operations
Program
Engine
The C 3 Test Analyzer
6. The Assessments & Reporting
Controls
Engine
Identify
COBIT 5.0
Crown Jewels
Identities
Information
Protect
CSC CSC
IEC 62443
Detect
Applications
Infrastructure
ISO 27001
NIST 800-53
BSIMM V5
Respond
PCI DSS
HIPAA
Recover
201 CMR 17
55
P2: The Application Program
2. The Controls
1. The Assets
4. The Operations
3. The Solutions
6. The Assessments & Reporting
5. The Testing
Program
Engine
The C 3 Test Analyzer
Controls
Engine
Identify
COBIT 5.0
Crown Jewels
Identities
Information
Protect
CSC CSC
IEC 62443
Detect
Applications
Infrastructure
ISO 27001
NIST 800-53
BSIMM V5
Respond
PCI DSS
HIPAA
Recover
201 CMR 17
56
P3: The Data Governance Program
2. The Controls
1. The Assets
4. The Operations / Administration
3. The Solutions
6. The Assessments & Reporting
5. The Testing
Program
Engine
The C 3 Test Analyzer
Controls
Engine
Identify
COBIT 5.0
Crown Jewels
Identities
Information
Protect
CSC CSC
IEC 62443
Detect
Applications
Infrastructure
ISO 27001
NIST 800-53
BSIMM V5
Respond
PCI DSS
HIPAA
Recover
201 CMR 17
57
P4: The Identity Governance Program
2. The Controls
1. The Assets
4. The Operations / Administration
3. The Solutions
6. The Assessments & Reporting
5. The Testing
Program
Engine
The C 3 Test Analyzer
Controls
Engine
Identify
COBIT 5.0
Crown Jewels
Identities
Information
Protect
CSC CSC
IEC 62443
Detect
Applications
Infrastructure
ISO 27001
NIST 800-53
BSIMM V5
Respond
PCI DSS
HIPAA
Recover
201 CMR 17
58
P5: The Critical Assets Program
2. The Controls
1. The Assets
4. The Operations / Administration
3. The Solutions
6. The Assessments & Reporting
5. The Testing
Program
Engine
The C 3 Test Analyzer
Controls
Engine
Identify
COBIT 5.0
Crown Jewels
Identities
Information
Protect
CSC CSC
IEC 62443
Detect
Applications
Infrastructure
ISO 27001
NIST 800-53
BSIMM V5
Respond
PCI DSS
HIPAA
Recover
201 CMR 17
59
The Program Summary
1
Unmanaged Assets [Programs]
2
Endpoint
Devices
1
Build a Cybersecurity Program
3
Data Center
Systems
Network
Security
2
5
4
Database
Security
3
7
6
Application
Security
4
Identity
Governance
5
8
Crown
Jewels
Data
Governance
6
7
Cyber Attack Chain
Protect
Identify
NIST Controls Framework
Controls Standards & Mapping
Recover
Respond
Detect
Operations Controls
(ISO 27001:2013)
Technical Controls
(Council on Cyber-security CSC)
Management Controls
(ISO 27001:2013)
Cybersecurity Operations
Center
Cybersecurity Administration
Center
Incident Response
Team
Cybersecurity Controls
Testing & Reporting
Cybersecurity Technology
Testing & Reporting
Cybersecurity Operations
Testing & Reporting
Technologies & Services
Operations & Administration
Testing & Reporting
1
Managed Assets [Programs]
2
Endpoint
Devices
3
Network
Security
5
4
Data Center
Systems
Database
Security
7
6
Application
Security
Identity
Governance
8
Data
Governance
Crown
Jewels
Part 5: The Factory Vision
61
Where were we? - Yesterday
Defense in Depth
The early days (2010)
Governance, Risk, Compliance
Threats & Vulnerabilities
GRC
Applications
Infrastructure
TVM
PDP
AIS
IAM
Data
People & Identities
IOS
Six Security Programs
 PRG1: Governance, Risk, Compliance (GRC)
 PRG2: Threat & Vulnerability Management (TVM)
 PRG3: Privacy and Data Protection (PDP)
 PRG4: Application Integrity and Security (AIS)
 PRG5: Identity & Access Management (IAM)
 PRG6: Infrastructure &Operations Security (IOS)
The Controls Layers:
 GRC: Program Governance, Risk Management and Compliance
 Threat & Vulnerability: Internal & External threats & weaknesses
 Network & Server Assets: Core Infrastructure
 Application Assets: Provides authorized user access to the data
 Data Layer: Where information resides
 People & Identities: Authorized vs. Unauthorized user access to data
62
Where are we? - Today
The Current Profile
(Before the Factory)
The Target Profile
(After the Factory)
Build & Run Area
Design Area
Threats,
Vulnerabilities,
IOCs
Controls
Definition
Technology
Architecture
Cybersecurity
Operations
Center
Threat
Modeling
The WISP
Organizational
Model
Threat
Intelligence
Controls
Framework
Technology
Design
Security
Administration
Center
Controls &
Technology
Testing
Program
Deliverables
Assurance &
Audit
The Cyber
Attack Chain
Controls
Standards
Technology
Build & Run
Resilience,
Response,
Forensics
Operations &
Incident
Testing
Program
Roadmap
Compliance
Initiatives
F1
F2
F3
F4
F5
F6
Threat
Office
Control
Office
Operations
Center
Testing
Center
Output
Input
Unmanaged
Assets
Management Area
Technology
Center
Program
Office
Managed
Assets
F7
GRC
Office
63
Where are we going? - Tomorrow
Factory in a Can
Academic / Research Factory
Staging / Test Factory
ST
AR
Cloud / Partner Factory
Corporate / Enterprise Factory
CE
CP
64
Summary: Building an Effective Security Program
The NIST Golden Rules
 Develop an enterprise-wide information security strategy and game plan
 Get corporate “buy in” for the enterprise information security program—effective programs start at the top
 Build information security into the infrastructure of the enterprise
 Establish a level of “due diligence” for information security
 Focus initially on mission/business case impacts—bring in threat information only when specific and credible
 Create a balanced information security program with management, operational, and technical security controls
 Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk
 Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data
 Harden the target; place multiple barriers between the adversary and enterprise information systems
 Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems
 Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build
on small successes
 Don’t tolerate indifference to enterprise information security problems
And finally…
 Manage enterprise risk—don’t try to avoid it!
65
Questions?
66