Developing Security Program

Kuliah 6
Outline
Culture is Essential in Securing the assets
What is Information Security Program
Infosec Elements
How to Create Infosec Program
Securing the Human

We want to build a solid team

Information Security Governance
Before we start
A blame culture encourages poor security
A culture of blame and fear when it comes to security
means end users won’t tell you if they are using an
unsanctioned app, have clicked on a malicious link or
have seen unusual activity until it’s too late
Security teams should empower users with a culture of
personal responsibility so that they treat data security in
the same way they approach other company policies like
health and safety.
What would you do, if you get this message
What it should be
How it should be
What is a Security Program?
A security program is the entirety of an organization’s
security policies, procedures, tools and controls
Essentially, the security program is the full, multi-
faceted security strategy and governance that protects
the organization’s sensitive data and capabilities
What is an Information Security Program?
A security program is a documented set for organization’s
information security policies, procedures, guidelines, and
standards
Your security program should provide a roadmap for
effective security management practices and controls
Having a strong security program helps your organization
ensure the confidentiality, integrity, and availability of
client and customer information, as well as the
organization’s private data through effective security
management practices and controls
The Journey to Secure
The design of a successful information security
program typically takes a team of experts with a wide
range of experience
Ideally, that design should carefully consider the value
of your data and systems, the threats they face
(malware, ransomware, internal, Internet-based etc.),
your budget, compliance or regulatory obligations, risk
tolerance and a framework or standard of best practices
in your industry
Security Program Purpose
A formalized security program provides a
documented set for organization security policies,
procedures, guidelines, and standards.
Security programs are critical to proactively
protecting data while maintaining compliance
with best practice and regulatory requirements, as
well as customer standards.
Security Program Purpose
Today, the risk and frequency of incidents and
breaches are higher than ever before
Breaches affect large numbers of financial
organizations, healthcare organizations, public-sector
entities, as well as organizations in any industry
Effectively maintained and adaptable security
programs both mitigate potential risks in an
organization’s environment and can respond to
incidents quickly.
Why should we have Infosec Program
A solid infosec program is an essential component of
running a business in the digital age
Without a security program, you leave your company,
customers, and data at risk
Security Program Posture
Security Program Posture
An organization's security posture (or cybersecurity posture)
is the collective security status of all software, hardware,
services, networks, information, vendors and service
providers
Your security posture encompasses information
security (InfoSec), data security, network
security, penetration testing, security awareness training to
prevent social engineering attacks, vendor risk
management, vulnerability management, data
breach prevention and other security controls.
Why is your security posture important?
Your organization's security posture is important because
it has an inverse relationship with cybersecurity risk. As
your security posture improves, cybersecurity risk
decreases. 
Cybersecurity risk is the probability of exposure or loss
resulting from cyber attacks, data breaches and
other cyber threats. A more encompassing definition is
the potential loss or harm to an IT infrastructure's or IT
asset's confidentiality, integrity or availability
Know the regulations / laws
These regulations often outline what data must be
protected (personally identifiable information, protected
health information and sensitive data) and suggest
security controls, e.g. encryption, access control or the
principle of least privilege.
Laws Related to Security (assignment)
Reducing cybersecurity risk and ensuring data privacy is
now more important than ever before driven by general data
protection laws like GDPR, LGPD, PIPEDA and CCPA, as
well as industry specific regulation like GLBA, FISMA, 
CPS 234, the NYDFS Cybersecurity Regulation and HIPAA

Hack for kids

NSA FOR KIDS
How to determine your security posture
Cybersecurity risk assessments allow security professionals to
understand what data you have, what infrastructure you have
and the value of the assets you are trying to protect.  
Common questions asked during security assessments include:
• What data do we collect?
• How and where are we storing this data?
• How do we protect and document the data?
• How long do we keep data?
• Who has access internally and externally to the data?
• Is the place we are storing the data properly secured?
Assessment Parameters
Parameters for the assessment by asking the following
questions:
• What is the purpose of the assessment?
• What is the scope of the assessment?
• Are there any priorities or constraints I should be aware
of that could affect the assessment?
• Who do I need access to get the information I need?
• What risk methodology is used for risk analysis?
Measure Cyber Risk
Point in time security assessments are expensive, static and subjective while the
number of cybercrimes is increasing in raw numbers, sophistication and impact 
Security ratings provide real-time, non-intrusive measurement of your
organization's security posture allowing your security team to continuously
monitor for security issues and instantly understand your most at risk assets
Security ratings are a quantitative measurement of your organization's security
posture, just like how a credit rating measures lending quality. As your
organization's security rating improves so too does your security posture  
By using security ratings, you can greatly increase your organization's ability to
meet and maintain compliance with regulation while meeting business
objective
The Lifecycle of a Security Program
Discovery
◦ The first step is understanding what you have, what you need and what you need to
protect
◦ Risk assessments, gap analyses, security testing are all helpful in this initial planning
phase to understand your next steps, accurate resource allocation and budgets going
forward
Development
◦ With a full plan in place, a team can begin building your security controls, implementing
cybersecurity technology or tools and writing your policies and procedures
Operation/Business as Usual
◦ Once your security program is in place and fully functioning, your data, systems and
users will be protected by a robust system for mitigating risks, alerting your team to
threats and preventing breaches that put your business at risk
The Lifecycle of a Security Program
• Plan and organize
• Implement
• Operate and maintain
• Monitor and evaluate
Why Life Cycle
• Written policies and procedures that are not mapped to and
supported by security activities
• Severe disconnect and confusion between the different individuals
throughout the organization attempting to protect company assets
• To assess progress and ROI of spending and resource allocation
• Understand the security program deficiencies and having a
standardized way of improving upon the deficiencies
• No assurance of compliance to regulations, laws or policies
• Not relying fully on technology as all security solutions
• Patchwork of point solutions and no holistic enterprise solution
Developing InfoSec Program
Developing an Information Security Program requires a
well-structured plan that should include people,
processes, and technology
Information security focuses on the protection of
information and information assets
Focusing on key concepts such as Confidentiality,
Availability, Integrity, Privacy, Authentication,
Authorization and Availability
Developing InfoSec Program
These concepts depend on the design, development, implementation and
management of technological solutions and processes
Information security requires strategic, tactical, and operational planning
In order to support these plans, a set of components such as:
◦ prevention and detection mechanisms,
◦ access management,
◦ incident response,
◦ privacy and compliance,
◦ risk management,
◦ audit and monitoring, and
◦ business continuity planning,
are often the key to a successful security program
Developing InfoSec Program
Developing an infosec program could be an overwhelming
task as it requires support, resources, and time
Building a strong and sustainable infosec program requires
having the right talent and tools
Partnering with a security solutions service provider will help
us ensure the proper execution of your strategic goals
In most cases, seasoned information security professionals
have vast experience successfully developing and
implementing security programs to strengthen an
organization’s security posture
The key components to successfully implementing
1. Focus on the Information Security Program as a whole
2. Align your security program with your organization’s mission and business
objectives
3. Implement meaningful and enforceable infosec policies and procedures
4. Develop a security risk management program
5. Apply defense-in-depth measures: Assess the security controls to identify and
manage risk
6. Establish a culture of security: Develop a sound Security Awareness program
7. Measure your Information Security Program by developing meaningful metrics
8. Develop and implement an Incident Response Plan: Train your staff and test
your plan periodically
9. Continuous monitor: Deploy tools and solutions to monitor your infrastructure
10.   Review your plan at least annually: Anticipate, innovate, and adapt
Infosec programs need to:
• Establish a benchmark for security
• Measure against that benchmark
• Enable informed decision making
• Support the execution of decisions.
Security Education, Training, and Awareness (SETA)
• Improving employees' security related behavior

• Informing employees where to report violations and

incidents

• Enabling the organization to hold employees

accountable for their actions
Securing The Human: How to Build, Maintain and
Measure a High-Impact Awareness Program
Organizations have invested a tremendous amount
of money and resources into securing technology, but
little if anything into securing their workforce.
As a result, people, not technology, have become the
most common target for cyber attackers.
The most effective way to secure the human element
is to establish a high-impact security awareness
program that
◦ goes beyond just compliance and changes behaviors and
ultimately creates a secure culture.
We should
• Identify the maturity level of your existing awareness program and the steps to
take it to the next level
• Differentiate between awareness, education and training
• Differentiate variables of risk and how they apply to managing human risk and
security awareness training
• People are vulnerable and how cyber attackers are actively exploiting these
vulnerabilities
• Gain and maintain long-term leadership support for your program
• Identify the different targets of your awareness program
• Characterize the culture of your organization and determine the most effective
communication methods for that culture
• Identify, measure and prioritize your human risks
• Design and implement key metrics to measure the impact of each stage of your
awareness program, to include measuring compliance, behaviors and culture
Security Awareness Training
It is the process of providing formal security education to
the users / employees about a variety of information security
threats and the company’s policies and procedures for
addressing them
Topics covered in security awareness training often expand
beyond the digital world and discuss physical security and
how employees can keep themselves and loved ones secure
(security culture)
Such training can take a variety of forms but is most often
presented in an online or computer-based format
How Should Training Be Approached?
The mission of a good training program should be providing concise,
actionable, and memorable advice about how to reduce risks related to
cybersecurity and information technology, whether digital or physical
Security skills developed on the job will also carry over into better cyber
hygiene habits at home or if working remote from elsewhere

Annual Employee Awareness Training Is Not Enough

Infosec Program Posture
Defensive: defend Infosys from potential or active
attacks
Management: manage day by day security operations
Offensive: assess for threats and vulnerabilities
Infosec Position
Infosec analyst
Infosec officer
Infosec engineer, etc.
We need people who can do the job and can get along
with others
We not need people with only hard skill, but we want
them to have written and verbal communication skills,
problem solving skills with ethic as important attributes
We are strong together
Videos
The Cyber Skills Gap | Chris Silvers | TEDxElonUniversity
– YouTube
Security Program Elements – YouTube
Securing The Human - YouTube
Quote
Learn how to learn
Quote
“We discovered in our research that insider threats are
not viewed as seriously as external threats, like a
cyberattack. But when companies had an insider threat, in
general, they were much more costly than external
incidents. This was largely because the insider that is
smart has the skills to hide the crime, for months, for
years, sometimes forever."  — Dr. Larry Ponemon,
Chairman, Ponemon Institute, at SecureWorld Boston