Transcript Assured Information Solutions, LLC Securing the Life Blood

Assured Information
Solutions, LLC
Securing the Life Blood of Business - INFORMATION
Christopher D. Peele
CISSP-ISSEP
Chief IA Analyst
Background






Christopher D. Peele, Chief IA Analyst
B.S., Computer Technology, M.S., Information Assurance, CISSP, ISSEP, NSA
IAM, NSA IEM
Mr. Peele has over 30 years of technology experience ranging from avionics
systems, bioelectronics systems, electronics, computer information systems,
computer systems administration project management and information assurance.
Mr. Peele spent a combination of 22 years in the US Air Force serving as active,
reserve and guardsmen status as an Avionics Communication and Navigation
Technician.
He has over 14 years experience in information security and for 10 of those years,
he has worked in the Department of Defense environment working on DIACAP
initiatives in support of the Joint, Army and Marine Corps information and combat
systems for the ATEC, NCR RNOSC, MCNOSC and MCSC.
Mr. Peele has developed, witnessed, coordinated and conducted IA Assessments in
support initial operational test and evaluation for AEC Survivability Directorate for
a number of systems. He has also implemented certification and accreditation
process in support of MCSC initiatives.
2
Securing the Critical Information
Vital to Your Small Business Survival
3
Agenda







Why should we secure information?
What mandates the protection of information?
What are the threats to information?
How is security implemented?
Who is going to implement security?
Who is responsible for security?
Areas of Concentration
4
Why should we secure information?

Organizations Most Value Asset
 Intellectual Property
 Mission Information
 Financial Information
 Personal Identifiable Information





Loss of Competitive Business or Technological
Advantages
Damage of Reputation
Loss of Revenue
Legal and Regulatory Sanctions
Small/Medium Businesses are the Low Hanging Fruit
5
What mandates the protection of information?






Federal Information Security Management Act 2002
Family Educational Rights and Privacy Act
Health Insurance Portability and Accountability Act
Sarbanes-Oxley Act 2002
Gramm–Leach–Bliley Act
Payment Card Industry Data Security Standard
Securing the Life Blood of Business
– INFORMATION 6
What are the threats to information?

External Threats
 Manmade
Attack of known vulnerability by a cyber criminal.
 Zero-day malware attack
 Phishing, Spear Phishing and Whaling
 Advanced Persistent Threats (APT)
 Players: Nation State, Cyber Gangs, Hacktivists,
Individuals
 Natural
 Flood
 Fire
 Earthquake

7
What are the threats to information?

Internal Threats
 Intentional
Trusted Insider
 Disgruntled employee
 Employee with financial problems
 Employee with adverse information
 Unintentional
 User opening infected attachment
 Misconfigured settings
 Infecting work system while working remotely
 Introduction of malware via personal devices

8
How is security implemented?






First, security is not a one size fits all!
Security must align with business and mission
objectives.
Deploy in layers with input from stakeholders
Implement relevant controls
Fortifying network perimeters
Instituting security policies and procedures
9
How is security implemented?






Fortifying facility security control
Implementing Security Awareness training
Limiting unauthorized access to network and facility
Monitoring and auditing network activity
Protecting mobile endpoints
Human Resources background investigations
Bottom line: Implementing Defense-in-Depth
10
Who is going to implement security?

Certified Security Professionals:
 Information
Assurance Professionals
 Information System Security Engineers
 Cyber Security Professionals

Certifications:
 CISSP,
ISSEP, ISSMP, CISM, CISA, CAP
 Security+, Network+, CASP
 SANS Certifications
 OEM Certifications
11
Who is responsible for security?



Security is Everyone’s Responsibility!
Senior Management is Ultimately Responsible for
Security in their Organization
Lead by Example!!
TRUST BUT VERIFY!
12
Areas of Concentration

Senior Management Buy-In
Security Awareness Training
Business Continuity Plan
Configuration and Asset Management
Develop Security Policies and Processes
Enforce Security Policies

Ensure Teaming Agreements Address Security Issues





13
AIS LLC’s Capabilities








Risk Management & IS Security Engineering
IA Compliance & Continuous Monitoring
Certification and Accreditation Process Oversight
IA Assessment & Evaluation
IA Test & Evaluation (T&E)
IA Subject Matter Expertise
IA Acquisition Support
Project Management & Security Strategic Planning
14
IA Current and Past Performance

Regional Support Services (PdM MCNIS)


Marine Corps Enterprise IT Services (PdM MCES)


Developed and coordinated IA test plans and analysis in support of DISA NCES program.
CH-53K HLR Helicopter (Sikorsky/Navy)


Provided IA analysis and C&A oversight to PdM MCES during the acquisition and sustainment phases of the
MCEITS data center project.
Network Centric Enterprise Services (Joint/AEC)


Provided day-to-day IA and Cyber Security support to the USMC Regional NOSC initiative to reestablish ownership
and operational responsibility of the USMC NIPR network.
Developed program protection plan and C&A process guidebook.
Unified Command Suite (AEC)

Provided IA analysis of an operational test conducted by JITC of a multiple jurisdiction command and control system
15
QUESTIONS?
16
Contact Information
Christopher Peele, MSIA
CISSP-ISSEP, NSA IAM, NSA IEM
Chief IA Analyst
Office: 703-919-9859
[email protected]
17