Information Security - Nacba
Download
Report
Transcript Information Security - Nacba
Information Security
{
Being a Good Steward of Church Information
Talk Amongst Yourselves…
Who is this dude?
Erik Thorsell
Founder and CEO, Success Computer
Consulting, since 1992
IBM Premier Business Partner and
Microsoft Gold Server Partner
Former Pillsbury Doughboy
Who is Success Computer
Consulting?
Managed network service provider
Focused on faith community
Plymouth Congregational, Westminster
Presbyterian, Beth Jacob Congregation, Mpls.
Synod of ELCA, Catholic Archdiocese of Saint
Paul & Minneapolis, several Catholic parishes
Focus on non-profit organizations
32 people, including 20 certified (and
friendly!) technical staff
Real Life Examples
The Inside Job
A (forgive me) Stupid Mistake
The Ukraine comes to Red Wing
Anyone else got an example?
What is security, exactly?
State or feeling of safety
Freedom from worries of loss
Something giving assurance
Based on this definition, is technology
security even attainable?
The Risk Landscape
What is security, exactly?
Today’s Threats
Third-party applications
On a PC, rate of vulnerabilities in 3rd party apps is
350% of Microsoft apps
Attacks exploiting PDF readers increased from 11% to
49% of all malware attacks
Fake AntiVirus – “Rogueware/Scareware”
Some are benign – only engineer you into wasting
money
Others are malicious – a security back door
Up-to-date security appliances block
Rogueware/Scareware
Today’s Threats
More attacks through HTTPS / SSL
Rely on up-to-date security appliances
Look for strong authentication capabilities in security
products
Social networking threats increase
The threat of malware through social networking
sites is increasing rapidly
Security experts recommend blocking these
sites on your network
Today’s Threats
Employee Insubordination
Early warning signs include dishonesty, incompetence
(real or feigned), reluctance to change, lack of
dependability or apathy
Can lead to significant, irreversible damage
Disaster / Business Interruption
Water leak! - #1 cause of physical system damage
Electrical surge/spike, Fire, Theft / vandalism,
Storm, etc.
Compliance
PCI – Payment Card Industry
www.pcisecuritystandards.org
HIPAA – Health Insurance Portability and
Accountability Act
GLBA – Gramm-Leach-Bliley Act
SOX – Sarbanes-Oxley Act
Components of a Security Strategy
Technology
Policies and Procedures
Physical Security
People
Assessment
Technology Tools
•
•
•
•
•
•
•
Firewall
AntiVirus/AntiSpyware
Patch Management
Backup
SPAM Filtering
Data Loss Prevention
MSBSA
Policies and Procedure
Information Security Policy
Access Control, Virus Prevention, Internet
Usage/Security, System Security, Acceptable
Use, Remote Access (VPN, RDP)
Procedures/Documentation
Disaster Recovery Plan, Data Backup
Procedures, Firewall Configuration, Server
Configuration
Physical Security
Secure cabinet or room for server and network
hardware (including backup systems)
Sign-in/out log in work areas that contain sensitive
data
Computer locks – physical and O/S lock
Asset I.D. tagging
B.Y.O.D. Policy
People
Organization-wide emphasis on security
Personnel are the key element to mitigating
security risk
IT department does not shoulder responsibility
alone
Security is everybody’s job
Strict enforcement of policies is critical
Assessment
Types of assessments:
Perimeter scan / penetration testing
Patch management review
Policy / procedure assessment
Disaster recovery plan review
Reasons:
PCI compliance
Peace of mind
IT workload prioritization
The Minimum!
Technology
Policy and Procedure
Server and all media in a locked room/cabinet
People
Password policy
Physical Security
Firewall with UTM/XTM subscription
AntiVirus software – updated
Patch management solution
Backup with offsite storage
Have a discussion about security and risk
Assessment
As required by PCI compliance
Recommended Industry Standard
(all the minimums, plus these…)
Technology
Policy and Procedure
Acceptable Use/Security Policy
Business Continuity Plan / Disaster Recovery Plan
People
Managed service monitoring and patch management
Secure wireless access
Group policy on server to limit user installs, configurations
Automated offsite backup; monitored and tested
Security auditing enabled
New employee onboarding includes security module
Assessment
Security assessment every three years with ongoing review
What do you think?
Where are you best covered now?
Where do you feel the most exposure / risk?
What is your highest priority?
THANK YOU!
Email: [email protected] or [email protected]
Phone: 763-593-3000 x4103
Web: sccnet.com