Information Security-

Base Concepts & Leadership

Jeromie Jackson- CISSP, CISM

COBIT & ITIL Certified
jeromie.jackson@tig.com
jeromie@comsecinc.com
619-368-7353
 Brief Bio.
Articles
* Covered on Forbes Magazine

President- San Diego OWASP * Credit Union Business Magazine
* Credit Union Magazine
* CU Times

Vice President- San Diego ISACA

* Insurance & Technology Review

* CMP Media
* Storage Inc.

CISSP Since 1996 Speaking Events
* SPC 2009
* SecureIT 2008

CISM, COBIT, & ITIL Certified * SecureIT 2009
* Interop
* Government Technology

SANS Mentor Conference (GTC)
* Many Credit Union Leagues


Security Solutions Architect @ TIG
 Agenda

IT Audit is not Enough

Network Security

Web Application Security

Countermeasures

Ignorance is Risk

Managing by Measurement
IT Assessment
 IT Audit is not enough

Unclear Scope

New Vulnerabilities/Risks

Use of Lagging Indicators
 Common IT Audit Deficiencies

Third-Party agreements and contracts weak

Employee Awareness Training needed improvement

Too many privileged accounts

Inability to document user privileges

Log collection weak

Critical assets not clearly defined & documented

DR/BCP not regularly tested

Internal controls not routinely reviewed

Change management documentation & consistency lacking

ERP systems riddled with segregation issues
- Paul Proctor and Gartner Risk & Compliance Research Community, March 2007
 Human Stupidity

Changing configurations

Installing rogue programs

Human Error (audits)
 Incorrect User Provisioning
− Automation tools generally too costly for SMB
− “AD-Aware” tools often can authenticate but cannot
provision access control
− User-Errors
− Asset Owners

Often do not know what to provision

Do not know granularity capabilities

Generally rely on what has worked previously
“Is-Like”
If using Microsoft “Is-Like” make the account
generic
 Conduct an
IT Risk Assessment
 Critical Assets

Critical assets provide services to enable the
business

May be external facing

May be a single machine or set of machines
 Risk Management Frameworks &
Functions

Frameworks
− NIST (SP800-30)
− Octave
− Octave Allegro
− Factor Analysis for Information Risk (FAIR)

Primary Functions
Create Value Account for People, Process, and
Technology
Integral Organizational Process Continual
Systematic Focused on Continual Improvement
 Octave Allegro

Great for a small group

Smaller in scope than other options

Can be conducted in waves (IE: IT/Business,
etc.)
 Containers

Describe where the information resides

May be a single system

May be a group of systems

Does not have to be electronic
 Threats

Describe the
actors upon which
vulnerabilities are
executed causing
risk to the
organization
Threat Trees
 Vulnerabilities

Issues which cause a system or process to
deliver undesirable results

May impact
− Confidentiality
− Integrity
− Availability
 Risks

The result of a threat agent
acting upon a vulnerability

Vulnerability Exploitation
− Compromise of sensitive
data
− Manipulation of
funds/account data
− Denial of Service against
Internet-Facing Systems
 Deliverables

Identification of Critical
Assets

Ranking of Assets

Portfolio view of
organizational risks
Network Security
 TCP/IP
Transport Control Protocol / Internet Protocol

Internet is based on TCP/IP

Designed for unstable networks

IPV4 prominent with IPV6 growing

TCP, UDP, & ICMP are the primary types of
packets
 TCP

Connection-Oriented

Used when integrity or state is necessary

Maintains state

3-way handshake to initiate session

Significant overhead compared to UDP
TCP/IP/Packet
 Telnet

Command-Line interface to operating system

Commonly used for
− Networking equipment
− UNIX systems

SSH should be used instead
 SSH

Encrypted version of Telnet

Enables remote management through CLI

Preferred method of remote management


Should be used instead of Telnet
 HTTP

Hyper Text Transfer Protocol

Pieces of page come across
as unique TCP connections
(images, text, etc.)


Ok to be used across
network segments
− External to DMZ
 HTTPS

Secure HTTP

Encrypted with Secure Socket Layer (SSL)or
Transport Layer Security

SSL inherently flawed based on use of MD5 for
hashing

Application data is now an encrypted payload

May conduct server, and client, authentication

Ok to be used across network boundaries
− External to DMZ
 SMTP

Simple Mail Transfer Protocol

Over port 25

Used for outbound mail

Notorious for security vulnerabilities


Ok to be exposed from Internet to DMZ
 SMTP Relaying

Allows someone from one domain to relay
information through another SMTP Server


A SMTP server should only allow outbound
email from the domains it serves
 EXPN/VRFY

EXPN- Expand Address
− This attempts to expand the list of email addresses
from a mailing list.


VRFY- Verify Address
− Attempts to validate email addresses
− Many systems will/should provide a generic
response
 POP

POP- Post Office Protocol

Port 110

Used to receive emails

Can use Apop which uses strong authentication


APOP or IMAP are preferred methods
 Server Message Block (SMB)

This is the protocol associated with Microsoft
file-sharing, and network printer, and serial
ports (IE: for network-based modems)


Due to the complexity and bulkiness of this
protocol it is recommend to not allow across
bondaries whenever possible

This should not be allowed on any Internet
connections
 Remote Desktop Protocol (RDP)

“Windows Terminal Services”

Not recommended to use on the Internet

Instead use;
− VPN
− Citrix
− HTTPS
− VMWare
 R-Commands

Rsh- Remote Shell

Rlogin- Remote Login

Rcp- Remote Copy
− Etc.

R-Commands allow users to define access
control rights
− Exploited with “+ +” in .rlogin ,etc.


R-Commands should not be used- SSH, etc.
instead
 IP Security (IPSEC)

Used for VPNs

Can run in two modes
− Tunnel- TCP/IP header encrypted and a new src/dst
pair is added to the connection
− Transport- only payload is encrypted
Tunnel Vs. Transport
 Voice Over IP (VOIP)

Allows for phone conversations across IP
networks

Many security risks
− Sniffing
− MAC Spoofing
− Application Vulnerabilities
− Session Hijacking
 File Transfer Protocol (FTP)

Preferable protocol used to transfer files

May be used cross-boundaries into a DMZ

Historically many vulnerabilities
− I often find exposure here
Trivial File Transfer Protocol (TFTP)

Similar to FTP but less interactive

Not used very often

Can be used inbound into a DMZ
 UDP Pros and Cons

Connection-Less protocol

No error correction or retransmission

Doesn't require sequence # or handshake
− MUCH easier to spoof

Only 1 way communication

No sequencing

No 3-way handshake
 Domain Name System (DNS)

Used to resolve IP's to hostnames and vs.
versa
− 72.167.183.41 = jeromiejackson.com
− jeromiejackson.com = 72.167.183.41

Single queries use UDP port 53
 DNS Zone Transfers

Zone transfers provide a copy of the name
table that is stored by the DNS server

Zone Transfers occur over TCP 53

Zone Transfers should only be available to
upstream providers/peers
 DNS Caching

When a client requests something to be
resolved it will accept more information than
what it had inquired about

DNS Redirection & Spoofing
− Attacker spoofs reply with bogus data
− Attacker replies with correct data & corrupt data
− Attacker compromises DNS Server & uses it to
distribute additional bogus answers to queries
 Simple Network Management
Protocol (SNMP)

Can provide vast amounts of data about
systems

Based on Management Information Base
(MIB)s

V3 is the only one with built in authentication,
privacy, and access control
 Internet Control Message Protocol
(ICMP)

Use for various tasks

Ping (Echo Request/Reply)

Host Not Reachable

Network Unreachable

Redirects

Only allow across borders if required
 Hijacking

TCP Hijacking
− Man-In-The-Middle
− TCP Reset
− MAC Spoofing


UDP
− Race condition- Respond prior to legit request


ICMP
− ICMP Redirect through an infected
machine/network
 BREAK- Next
Web Application Security
 Web-App Overview
Cross-Site Scripting
Injection Flaws
Malicious File
Insecure Direct Object Reference
Cross-Site Request Forgery
Information Leakage & Error Handling
Broken Authentication & Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access
 Tools Being Used

WebScarab
− Allows for HTML massaging
− Transcoder

Firefox Developer Tools
− Form Editing
− Subvert client-side security settings
 1- Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes
user supplied data and sends it to a web
browser without first validating or encoding the
content.

XSS allows attackers to execute script in the
victim's browser
 Worry About Encodings

Original URL: www.comsecinc.com/contact.php

Base64
− d3d3LmNvbXNlY2luYy5jb20vY29udGFjdC5waHA=

URLEncoding
− www.comsecinc.com%2Fcontact.php

Derivatives to further obscure intent
− Spaces or content breaks within content

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
 Vulnerability

Hijack user sessions

Redirect to hostile location

Website Defacement

Possibly introduce worms
 Protection

Utilize a standard input validation mechanism

Do not attempt black-list validation

Java- Use Struts <bean: write>

.NET- Use Microsoft Anti-XSS Library

PHP- Use htmlentities() or htmlspecialchars()
 References

Rsnake put together a great XSS Cheat Sheet
− http://ha.ckers.org/xss.html

How to Obscure Any URL
− http://www.pc-help.org/obscure.htm
 2- Injection Flaws

User-Supplied data sent to an interpreter
− SQL
− LDAP
− Xpath
− XML,
− SOAP
− OS command injection
 Vulnerability

SQL Injection
− Create, Modify,Delete,View tables/databases

OS Command Injection
− Read/Modify/Delete/Create files
− Execute Processes with Privileges of application.
 Protection

Sanitize Input

Enforce least-privilege-especially in the
database

Avoid detailed error messages

Use strongly typed parameterized queries
 3- Malicious File Execution

Applications using data input for filename
usage are generally vulnerable
 Vulnerability

Hostile File Uploads

Access to Sensitive Data

Reading confidential data
 Protection

Use a “Known Good” strategy

Sanitize User Input

PHP
− Disable allow_url_fopen and allow_url_include
− Disable Register Globals & E_Restrict

Java- Ensure Security Manager is enabled for is
properly configured

.NET- Leverage least privilege via Security manager
4- Insecure Direct Object Reference

A user's direct access to object references
− IE: Filenames, & directories
 Vulnerability

Hostile File Uploads

Access to Sensitive Data

Reading confidential data
 Protection

Avoid exposing private object references

Indirectly reference objects
− Index files as opposed to utilizing their name
 5- Cross-Site Request Forgery

A CSRF attack forces a logged-on victim’s
browser to send a request to a vulnerable web
application, which then performs the chosen
action on behalf of the victim.

IE: Vulnerable Banking relationship, shopping
site, etc.
 Vulnerability

Can exploit the vulnerability on behalf of the
attacker.

Submit bank transfer

Send credit card information

Automatically post information out to an Internet
site
 Protection

Re-Authenticate or use transaction signing to ensure that the request is
genuine.

Set up external mechanisms such as e-mail or phone contact in order to
verify requests or notify the user of the request.

Do not use GET requests (URLs) for sensitive data or to perform value
transactions.

Use only POST methods when processing sensitive data from the user.

POST alone is insufficient protection. You must also combine it with random
tokens, out of band authentication, or re-authentication to properly protect
against CSRF

For ASP.NET, set ViewStateUserKey
− Provides a similar type of check to a random token as described above.
 Vulnerability

Data in errors may be useful for social
engineering

May disclose internal object references

Often discloses account names
 Protection

Disable or limit error handling

A common error handler is often useful
− Can send details out-of-band

Ensure development team shares a unified
approach
7- Broken Authentication & Session
Management

Allows attacker to bypass the I&A Process

Often introduced through ancillary
authentication functions
− Logout, password management, timeout, remember
me, secret question, and account update.
 Vulnerability

Subversion of authentication within the
application

Portions of application go unauthenticated
 Protection

Only use the inbuilt session management mechanism.

Limit or rid your code of custom cookies for authentication
or session management

Use a single authentication mechanism

Do not allow the login process to start from an unencrypted
page.

Use a timeout period

Check the old password when the user changes to a new
password
 8- Insecure Cryptographic Storage

Protecting sensitive data with cryptography has
become a key part of most web applications.

Simply failing to encrypt sensitive data is very
widespread.
 Vulnerability

Inappropriate information disclosure

Regulatory violation
 Protection

Do not create cryptographic algorithms.

Do not use weak algorithms, such as MD5 /
SHA1.
− Favor safer alternatives, such as SHA-256 or better.

Generate keys offline and store private keys
with extreme care.

Ensure that encrypted data stored on disk is not
easy to decrypt.
 9- Insecure Communications

Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive
communications.

Encryption (usually SSL) must be used for all
authenticated connections.

In addition, encryption should be used
whenever sensitive data is transmitted.
 Vulnerability

Inappropriate access to conversations
− Any credentials or sensitive information transmitted.
 Protection

Use SSL for all connections that are
authenticated or transmitting sensitive or value
data

Ensure that communications between
infrastructure elements are appropriately
protected.

Under PCI Data Security Standard requirement
4, you must protect cardholder data in transit.
10- Failure to Restrict URL Access

Frequently, the only protection for a URL is that
links to that page are not presented to
unauthorized users

Security by obscurity is not sufficient to protect
sensitive functions.
 Vulnerability

"Hidden" or "special" URLs, rendered to all
users if they know it exists
− /admin/adduser.php or /approveTransfer.do.

Applications often allow access to "hidden"
files, such as static XML or system generated
reports.
 Protection

Ensure the access control matrix is part of the
business, architecture, and design of the
application

Perform a penetration test

Do not assume that users will be unaware of
special or hidden URLs or APIs.

Block access to all file types that your
application should never serve.
 Action Plan

Embed security early in projects

Utilize standard data validation processes

Implement a standardized error handler

Properly segment the environment(s)

Test all externally-facing applications
 Implement Security in Projects

The earlier security is implemented the lower
the cost of the project
− Inception- Ensure plans meet security standards
− Development- Ensure it stays on track
− Implementation- Validate implemented
appropriately
− Operations- Monitor & Measure
− Disposal- Ensure proper asset disposal processes
Implement Standardized Processes
for Data Validation

Implement standard error handling processes
to limit data exposure

Utilize standardized santization processes to
ensure consist quality protection
Properly Segment the Environments

Three-Tier DMZ
 Test All External-Facing
Applications

Application test all applications accessible on
the Internet

Assess all system which utilize restricted data
− (Healthcare, Credit Cards, ACH Transfers, etc.)
 Strength in Numbers
Contact Information

Join Local Associations 
Jeromie Jackson- CISSP/CISM
− OWASP & ISACA 
jeromie@comsecinc.com

ComSec, Inc.

702-866-9412

ComSec Services
Security Services
Qualifications
Virtual CISO Social Engineering
OWASP SD Chapter President CISSP & CISM Practitioners
Risk
BoardAssessment
Members to ISACA Awareness
ITIL & COBITTraining
Certified
Security
NSS LabsAssessment
Advisory Board Policy Development
800+ Regulated Customers
 Part 3
Technical Countermeasures
 Firewalls

IP Filtering
− (Src, port, dst, port, flags)
− IP ACLs

Stateful Inspection
− Just like IP Filtering but maintains state
− Identifies existing flows and uses for rule base

Application-Level
− Understands the application
− IE: Can do FTP PUT, but not GET
− Mitigates least-privilege
 Intrusion Detection/Prevention
(IDS/IPS)

Can be signature or anomaly based

Signature
− Floods
− Brute Force
− SQL Injection

Anomaly
− Keystrokes & typing
− Standard system usage
− Obscure destinations or services being utilized
 Web Application Firewall (WAF)

Monitors and mitigates web-based
vulnerabilities

Some IDS/IPS Signatures may see

Some provide application profiling
− Imperva
− Breach
− Data Power
 Antivirus/ Anti-Malware

Mostly signature based
− Identified files/processes

Whitelisting becoming more prevalent

Should be deployed @ the desktop & at the
gateway

Preferably two different engines/vendors
 Content Filtering

Blocking sites and/or frames in a site

Can be white-list or black-list based

Sometimes used for anticipated productivity
gains
 Authentication

3 factors of authentication
− Something you know

PIN

Password
− Something you have

Smart Card

RFID Card

Digital Certificate
− Something you are

Biometrics
 Log Management

Logs are critical importance to auditors
− Centralized
− Monitored
− Escalated
− Consistent
− Secure

SIMs are a great way to correlate these
 Access Control

Role-Based

User-Based
 Permissions (MAC & DAC)
Discretionary Access Control

User's discretion
− Found on most multi-user operating systems
− (Read, Write, Execute / User, Group, Other)

Mandatory Access Control

- Objects are given labels
− Labels often hard-coded
− Specific access control provisions used (IE: Read
down, write equal)
 User Provisioning

Often resource intensive

Prone to error

Provisioning software generally not cost-
effective for SMB space


Maximize the applications that are AD aware,
and hopefully can leverage groups for access
control
Symmetric Encryption
Asymmetric Encryption
 Disk Encryption

Should be deployed on all remote devices

Full-Disk is preferable

Mitigates the significant threats of a device
being lost/stolen
 Email Encryption

Email goes over unencrypted ports

Some tools require end-user to encrypt
outbound

Some can have policies based on destination

Can be Symmetric or Asymmetric
 SIM/SIEM

Great way to reduce cost of security

Consolidate those logs- make them useful!

Pivoting is very functional (BI for Security)
− Trigeo
− Arcsight
− NetIQ
 Database Auditing

Some built-in
− Be careful of turning auditing on without tuning

Imperva has a Database play

Don't let developers directly connect to the SQL
port(s)
 Data Loss Prevention (DLP)

Great way to gain visibility into previously
unidentified risk vectors
− Remember Due Diligence & Due Care

Some can import databases

Some are agent based
− This is good for mobile computing!
 Physical Countermeasures

Information Security != Technical Security

Many attacks/breaches due to physical security
weaknesses
 ID Cards

Various Type
− RFID Cards
− Smart Cards
− MAG Stripes
 RFID Pros/Cons

Pros
− Easy
− Cost Efficient
− Lots of vendors

Cons
− Cloning
 Smart Cards Pros/Cons

Pros
− Intelligent
− Built-in CPU


Cons
− More expensive
− Complexity generally adds risk
 Mag Stripes

Pros
− Cheaper cards
− Cheaper Readers


Cons
− Exploitation costs lower
 Administrative Controls

Policies, Procedures, and Standards mitigate
end-user risk

Do not fall under the panacea that technology
comprehensively mitigates risk
 Policies

Describe management expectations

Describe what is to be done

Should be aligned with high-level control
objectives/intentions
 Procedures

Describe the actions required to carry out
policies

Describe the How to execute the policies
 Standards

Describe high-level objectives for IT
− Consolidate types of technology in the environment
− Ensure implementation of security principals

A Guidebook for architects

A Summary of what the stakeholders described
 Dual Control

Two-Pieces of a key to open a door

Two people to execute a transaction

Additional signatures for processing
 Audit

Policies, procedures, and standards not
beneficial if not in use

Logs are required by auditors to ensure
controls are consistently being implemented

Primary Concepts
− Least Privilege
− Segregation of Duty
− Dual-Control
− Continual
− Repeatable
 Least Privilege

Users should be given access only to resources
necessary to carry out their job

Mitigates inappropriate disclosures

Enhances auditability

Should be used to help stakeholders define
access control requirements for an asset
 OS Hardening

Least privilege
− Only required services allowed
− Remove unnecessary services

Patching
− Mitigate vulnerability affecting the environment

Consistency
− Reduce Complexity
− Limit types of vulnerabilities affecting the
environment
− Minimize vulnerabilities present in the environment
− Stabilize a baseline
 Racking & Stacking @ a 3 Party rd


How far up will they manage?
− Up to the rack?

OS & App threats

Ability to install countermeasures

− Up to the OS?

Can you deploy OS/Network Countermeasures?

Patching strategies

What about non-Microsoft Applications?
− Up to the app?

Auditability

Least-Privilege
 Virtualization Threats & Risks

Virtual Host to Virtual host connections
− Network-Based countermeasures

Hypervisor security
− Mainframe
− Process Sockets
 Ignorance is Risk

Manage by Measurement
Through the Use of a Control
Framework
 Security Risks & Exposures are
Growing

More than 35 million data records were
breached in 2008 in the United States
-Theft Resource Center


Jan 20, 2009- Heartland Payment Systems-
100 Million Transactions Per Month!
http://www.2008breach.com/


252,276,206 records with personal information
since January 1995
- www.privacyrights.org
 Risk is a Business Issue
“Ignoring or misunderstanding financial risks played a
substantial role in creating the world financial crisis in
2008.”

“Organizations need to assess risk as part of cost-cutting

decisions and should manage increased IT risks to
prevent operation failures that will lead to further loss.”
- Gartner, “Managing IT Risks During Cost-Cutting Periods”, October 22, 2008
 Risk is a Business Issue (Cont.)
− CardSystems Solutions Inc.

Mid 2005 breach of 40 million credit cards.

Visa & Mastercard terminated their processing capability-
they soon went under

35+ million data records were breached in 2008 in the
United States-Theft Resource Center
− Heartland Payment Systems

Jan 20, 2009

100 Million Transactions Per Month

http://www.2008breach.com
− 252,276,206 records with personal information since January
1995 -http://www.privacyrights.org
Risk Aware Risk Adverse
 Risk Aware Vs. Risk Adverse
Risk Aware Risk Adverse

OK to Talk About Risk 
Avoids Discussions of Risk

Ok to Take Risks 
Avoids Responsibility for risks

Ok to Fail (if managing appropriately) 
No tracking or Analysis of
Features & Successes

Success and failures tracked and
analyzed 
Can't Learn From Mistakes; High
Repeat Failure Rates

Continuous learning and improvement
for key processes 
Padded Budgets, Extended Time
Lines, Surprise Overruns

Realistic budgets and time lines that are
continuously monitored 
Managers Assign Blame, Don't
Share the Risk

Enterprise is able to take on bigger risks
2007 MIT Sloan Center for Information Systems Research & Gartner Inc.

Being Risk Aware Enables Agility & Innovation

Down Economy causing executives
to focus on profitability


3 ways to improve
profitability
− Increase top-line sales
− Reduce COGS
− Optimize Operations
 Optimize IT
− Bridge the gap between control
requirements, technical issues, and
business risk
− Use a portfolio approach to risk
management
− Manage by measurement
− Enable your organization to reap
maximum benefit from technology
investments
 Regulation With Minimal Benefit


Redundant 
Overlapping
Requirements
and vague

Controls requirements
without clear 
Costly resource
benefits
allocation
 Regulations


Increasing complexity

Resource intensive

Divert focus on maturing risk management

Optimize Regulatory
Remediation Convergence

Assert
Compliance
Simultaneously
IT & Business Alignment- Are we communicating?

Prudent Agile Competitive

Advantage
 Implications


IT is meant to
serve the business

IT must be aligned
with business
goals

IT is costly and
requires prudent
management
 Become Proactive

Instill best-practice governance

Utilize a risk-management portfolio to guide
remediation

Consolidate Regulations
Managing by Measurement
Leading the Trauma Unit

50 Case Studies

130 Firms Surveyed

2000+ Executives Refined

The Root-Cause of
IT Risk -
Lack of Governance
“..Manifested as uncontrolled complexity, and inattention to risk.”
George Westerman & Richard Hunter, IT Risk; Turing Business Threats Into Competitive Advantage
(Harvard Business School Press, 2007)

Governance- “Specifying the decision rights and

accountability framework to encourage
desirable behavior in using IT.”
- Peter Weill and Jeanne Ross, IT Governance: How Top Performers Manage IT Decisions Rights for Superior Results
(Boston: Harvard Business School Press, 2004)
 5 Facets of Governance

Value Delivery

Strategic Alignment

Performance Measurement

Resource Management

Risk Management
 Improve Risk Management


Risk Management
Process
− Identify critical assets
− Define containers
− Identify risks & threats
− Quantify or qualify risks

Prioritize Remediation
Efforts
 Stop The Bleeding -
Cauterize the Wounds

Identify & Collect Known Risks

Create a Remediation Portfolio

Document the “As-Is” State
 Stabilize the Patient

Classify Known Risks

External Audits

Internal Audits

Regulatory Audits

Vulnerability Assessments

Risk Assessments

Address Availability

Focus on Business Consequence

Consolidate Regulations
 Identify Primary Controls
Confidentiality Integrity

Availability Performance Measurement Auditability

Have a clear architectural direction /
“To-Be” state

Conduct an IT
Assessment to identify
“As-Is” State

Through planning
identify core strategies
and architecture

Manage by
Measurement
 Seek Optimal Treatment Plan

Benefits of utilizing
best practices
− Enables external
expertise
− Facilitates
benchmarking
− Auditor familiarity
resulting in reduced
costs
Best Practice Control Objectives
 Components of Controls

Defines a specific goal

Aligns with business objectives

Describes the focus required to manage

Summarizes how the goal will be achieved

Defines potential KPIs/KGIs

RACI Table
 Communicate & Collaborate


Paradigms- 7 Habits of Highly Effective People- “A man on a subway sees 2
obnoxious children...”
The sum is greater than the
individual pieces
 Balanced Scorecards

Focus on 4 key paradigms
− Financial- Fiscal Measurements
− Customer- Service Qualities
− Operations- Operational Efficiency & Agility
− Learning & Growth- Fostering Growth & Innovation


Provides measurements based on key
“customers” being serviced
Balanced Scorecards
 Strategy Maps
Describe the “To-Be” state graphically


Facilitate collaboration

Minimize jargon

Collaborate
Strategy Map
 Leading & Lagging Indicators

Leading indicators
− Sales Targets
− # of site visitors expected this year

Lagging indicators
− $ Closed Deals last month
− Visitors last year
− Amount a specific product has generated thus far
 KPIs & KGIs

A Key Goal Indicator, representing the process goal, is a measure of "what"
has to be accomplished. It is a measurable indicator of the process
achieving its goals, often defined as a target to achieve.
− Remain Profitable
− Take over 15% market share in a territory


By comparison, a Key Performance Indicator is a measure of "how well" the
process is performing.
− % of Bench time for engineers - “Riding the Pine”
− # of opportunities in the pipeline
Prudent Management is not just for
the enterprise anymore

Governance has been slowly adopted in the
SMB space
− Perceived as an “enterprise play”
− ROI/CBA/NPV communication muddled with jargon

Talk to your audience- don't belabor

acronyms and frameworks.
Focus on sound stewardship
principals.
 References

Privacy Violations- www.privacyrights.org

COBIT - www.isaca.org/cobit

VAL IT - www.isaca.org/valit

Strategy Maps -
http://www.valuebasedmanagement.net/methods_strategy_maps_strategic_
communication.html

BSC - http://www.balancedscorecard.org/

Lean Six-Sigma - www.qimacros.com

Harvard Business Review
 Questions?

Jeromie Jackson- CISSP, CISM

Jeromie.Jackson@TIG.COM
619-368-7353-direct
www.linkedin.com/in/securityassessment