Transcript Information Security - Nacba

Information Security
{
Being a Good Steward of Church Information
Talk Amongst Yourselves…
Who is this dude?




Erik Thorsell
Founder and CEO, Success Computer
Consulting, since 1992
IBM Premier Business Partner and
Microsoft Gold Server Partner
Former Pillsbury Doughboy
Who is Success Computer
Consulting?


Managed network service provider
Focused on faith community



Plymouth Congregational, Westminster
Presbyterian, Beth Jacob Congregation, Mpls.
Synod of ELCA, Catholic Archdiocese of Saint
Paul & Minneapolis, several Catholic parishes
Focus on non-profit organizations
32 people, including 20 certified (and
friendly!) technical staff
Real Life Examples

The Inside Job

A (forgive me) Stupid Mistake

The Ukraine comes to Red Wing

Anyone else got an example?
What is security, exactly?



State or feeling of safety
Freedom from worries of loss
Something giving assurance
Based on this definition, is technology
security even attainable?
The Risk Landscape
What is security, exactly?
Today’s Threats

Third-party applications



On a PC, rate of vulnerabilities in 3rd party apps is
350% of Microsoft apps
Attacks exploiting PDF readers increased from 11% to
49% of all malware attacks
Fake AntiVirus – “Rogueware/Scareware”



Some are benign – only engineer you into wasting
money
Others are malicious – a security back door
Up-to-date security appliances block
Rogueware/Scareware
Today’s Threats

More attacks through HTTPS / SSL



Rely on up-to-date security appliances
Look for strong authentication capabilities in security
products
Social networking threats increase


The threat of malware through social networking
sites is increasing rapidly
Security experts recommend blocking these
sites on your network
Today’s Threats

Employee Insubordination



Early warning signs include dishonesty, incompetence
(real or feigned), reluctance to change, lack of
dependability or apathy
Can lead to significant, irreversible damage
Disaster / Business Interruption


Water leak! - #1 cause of physical system damage
Electrical surge/spike, Fire, Theft / vandalism,
Storm, etc.
Compliance

PCI – Payment Card Industry


www.pcisecuritystandards.org
HIPAA – Health Insurance Portability and
Accountability Act

GLBA – Gramm-Leach-Bliley Act

SOX – Sarbanes-Oxley Act
Components of a Security Strategy





Technology
Policies and Procedures
Physical Security
People
Assessment
Technology Tools
•
•
•
•
•
•
•
Firewall
AntiVirus/AntiSpyware
Patch Management
Backup
SPAM Filtering
Data Loss Prevention
MSBSA
Policies and Procedure

Information Security Policy


Access Control, Virus Prevention, Internet
Usage/Security, System Security, Acceptable
Use, Remote Access (VPN, RDP)
Procedures/Documentation

Disaster Recovery Plan, Data Backup
Procedures, Firewall Configuration, Server
Configuration
Physical Security





Secure cabinet or room for server and network
hardware (including backup systems)
Sign-in/out log in work areas that contain sensitive
data
Computer locks – physical and O/S lock
Asset I.D. tagging
B.Y.O.D. Policy
People

Organization-wide emphasis on security




Personnel are the key element to mitigating
security risk
IT department does not shoulder responsibility
alone
Security is everybody’s job
Strict enforcement of policies is critical
Assessment

Types of assessments:





Perimeter scan / penetration testing
Patch management review
Policy / procedure assessment
Disaster recovery plan review
Reasons:



PCI compliance
Peace of mind
IT workload prioritization
The Minimum!

Technology





Policy and Procedure


Server and all media in a locked room/cabinet
People


Password policy
Physical Security


Firewall with UTM/XTM subscription
AntiVirus software – updated
Patch management solution
Backup with offsite storage
Have a discussion about security and risk
Assessment

As required by PCI compliance
Recommended Industry Standard
(all the minimums, plus these…)

Technology






Policy and Procedure



Acceptable Use/Security Policy
Business Continuity Plan / Disaster Recovery Plan
People


Managed service monitoring and patch management
Secure wireless access
Group policy on server to limit user installs, configurations
Automated offsite backup; monitored and tested
Security auditing enabled
New employee onboarding includes security module
Assessment

Security assessment every three years with ongoing review
What do you think?

Where are you best covered now?

Where do you feel the most exposure / risk?

What is your highest priority?
THANK YOU!



Email: [email protected] or [email protected]
Phone: 763-593-3000 x4103
Web: sccnet.com