What needs to be secured?
Who is responsible for it?
What technical/non-technical control should be deployed?
How are people supported to do what they need to do?
What if somthing goes wrong?
Response and recovery
Accountability and consequences
What needs to be secured?
Hardware, software and services
– servers, routers, switches, laptops and mobile devices
– OS, databases, services and applications
– Data stored in databases or files
From whom?
– Remote hackers?
– Insiders?
Identify and access management(IAM)
– Credentialing, account creation and deletion
– password policies
Network and host defenses
– firewall, IDS, IPS
– Anti-virus
VPN and BYOD
Vulnerability patching
User awareness and education
– Pishing attack awareness(Phishme)
High level articulation of security objectives and goals
– legal, business or regulatory rationale
– Do’s and don’ts for users
password length
Web and email policies
Response to security events
– Address prevention, detection, response and remediation as it concerns/impact users