CERT Podcast Series: Security for Business LeadersOverview Practicing strong information and cyber security is a nonnegotiable requirement for organizations doing business today. However, building security into an existing corporate culture is a complex undertaking. This series of podcasts provides both general principles and specific starting points for business leaders who want to launch an enterprise-wide security effort or make sure their existing security program is as good as it can be. Please review our Legal Disclaimer
Podcast CategoriesForensicsGoverning for Enterprise Security Measuring Security Privacy Risk Management and Resilience Security Education and Training Software Security Threat Trends and Lessons Learned Tips from the Trenches: Areas of Practice Forensics TJX, Heartland, and CERT's Forensics Analysis Capabilities Complex, distributed, multi-year investigations of computer crimes require sophisticated methods, techniques, and tools. Computer and Network Forensics: A Master's Level Curriculum Students learn how to combine multiple facets of digital forensics and draw conclusions to support full-scale investigations. Computer Forensics for Business Leaders: Building Robust Policies and Processes Business Leaders can play a key role in computer forensics by establishing strong policies and proactively testing to ensure those policies work in tough situations. Computer Forensics for Business Leaders: A Primer Computer forensics is often overlooked when planning an incident response strategy; however, it is a critical part of incident response, and business leaders need to understand how to tackle it. Governing for Enterprise Security Public-Private Partnerships - Essential for National Cyber Security Government agencies and private industry must build effective partnerships to secure national critical infrastructures. Establishing a National Computer Security Incident Response Team (CSIRT) A national CSIRT is essential for protecting national and economic security, and ensuring the continuity of government agencies and critical infrastructures. Leveraging Security Policies and Procedures for Electronic Evidence Discovery Being able to effectively respond to e-discovery requests depends on well-defined, enacted policies, procedures, and processes. Managing Risk to Critical Infrastructures at the National Level Protecting critical infrastructures and the information they use are essential for preserving our way of life. Making Information Security Policy Happen Targeted, innovative communications and a robust life cycle are keys for security policy success. Becoming a Smart Buyer of Software Managing software that is developed by an outside organization can be more challenging than building it yourself. Information Compliance: A Growing Challenge for Business Leaders Directors and senior executives are personally accountable for protecting information entrusted to their care. Internal Audit's Role in Information Security: An Introduction Internal Audit can serve a key role in putting an effective information security program in place, and keeping it there. Tackling Security at the National Level: A Resource for Leaders Business leaders can use national CSIRTs (Computer Security Incident Response Teams) as a key resource when dealing with incidents with a national or worldwide scope. Using Standards to Build an Information Security Program Business leaders can use international standards to create a business- and risk-based information security program. Getting Real About Security Governance Enterprise security governance is not just a vague idea - it can be achieved by implementing a defined, repeatable process with specific activities. The Legal Side of Global Security Business leaders, including legal counsel, need to understand how to tackle complex security issues for a global enterprise. Why Leaders Should Care About Security Leaders need to be security conscious and to treat adequate security as a non-negotiable requirement of being in business. Compliance vs. Buy-in Integrating security into standard business operating processes and procedures is more effective than treating security as a compliance exercise. Measuring Security Measuring Operational Resilience Measures of operational resilience should answer key questions, inform decisions, and affect behavior. Getting to a Useful Set of Security Metrics Well-defined metrics are essential to determine which security practices are worth the investment. Using Benchmarks to Make Better Security Decisions Benchmark results can be used to compare with peers, drive performance, and help determine how much security is enough. Initiating a Security Metrics Program: Key Points to Consider A sound security metrics program is grounded in selecting data that is relevant to consumers and collecting it from repeatable processes. Building a Security Metrics Program Selecting and reporting meaningful security metrics depend on picking topics of great interest, defining the business context, and having access to sound data. The ROI of Security ROI is a useful tool because it enables comparison among investments in a consistent way. Privacy Considering Security and Privacy in the Move to Electronic Health Records Electronic health records bring many benefits along with security and privacy challenges. Integrating Privacy Practices into the Software Development Life Cycle Addressing privacy during software development is just as important as addressing security. Electronic Health Records: Challenges for Patient Privacy and Security Electronic health records (EHRs) are possibly the most complicated area of IT today, more difficult than defense. Protecting Information Privacy - How To and Lessons Learned Aligning with business objectives, integrating with enterprise risks, and collaborating with stakeholders are key to ensuring information privacy. The Value of De-Identified Personal Data As the legal compliance landscape grows increasingly complex, de-identification can help organizations share data more securely. Privacy: The Slow Tipping Point A trend toward more and more data disclosure, as seen in online social networks, may be causing users to become desensitized to privacy breaches in general. Risk Management and Resilience Using the Smart Grid Maturity Model (SGMM) Over 100 electric power utilities are accelerating their transformation to the smart grid by using the Smart Grid Maturity Model. Integrated, Enterprise-Wide Risk Management: NIST 800-39 and CERT-RMM BuBusiness l leaders must address risk at the enterprise, business process, and system levels to effectively protect against today's and tomorrow's threats. Conducting Cyber Exercises at the National Level Scenario-based exercises help organizations, governments, and nations prepare for, identify, and mitigate cyber risks. How Resilient Is My Organization? Use the CERT Resilience Management Model (CERT-RMM) to help ensure that critical assets and services perform as expected in the face of stress and disruption. Train for the Unexpected Being able to respond effectively when faced with a disruptive event requires that staff members learn to become more resilient. Introducing the Smart Grid Maturity Model (SGMM) The SGMM provides a roadmap to guide an organization's transformation to the smart grid. Ensuring Continuity of Operations When Business Is Disrupted Providing critical services during times of stress depends on documented, tested business continuity plans. Managing Relationships with Business Partners to Achieve Operational Resiliency A defined, managed process for third party relationships is essential, particularly when business is disrupted. The Smart Grid: Managing Electrical Power Distribution and Use The smart grid is the use of digital technology to modernize the power grid, which comes with some new privacy and security challenges. Rethinking Risk Management Business leaders need new approaches to address multi-enterprise, systems of systems risks across the life cycle and supply chain. Security: A Key Enabler of Business Innovation Making security strategic to business innovation involves seven strategies and calculating risk-reward based on risk appetite. An Alternative to Risk Management for Information and Software Security Standard, compliance, and process are more effective than risk management for ensuring an adequate level of information and software security. Security Risk Assessment Using OCTAVE Allegro OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. The Path from Information Security Risk Assessment to Compliance Information security risk assessment, performed in concert with operational risk management, can contribute to compliance as an outcome. Business Resilience: A More Compelling Argument for Information Security A business resilience argument can bridge the communication gap that often exists between information security officers and business leaders. Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity By taking a holistic view of business resilience - similar in many ways to classical engineering - business leaders can help their organizations stand up to known and unknown threats. Adapting to Changing Risk Environments: Operational Resilience Business leaders need to ensure that their organizations can keep critical business processes and services up and running in the face of the unexpected. Assuring Mission Success in Complex Environments Analysis tools are needed for assessing complex organizational and technological issues that are well beyond traditional approaches. Security Education and Training Software Assurance: A Master's Level Curriculum Knowledge about software assurance is essential to ensure that complex systems function as intended. Better Incident Response Through Scenario Based Training Teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine. Using High Fidelity, Online Training to Stay Sharp Virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime. What Business Leaders Can Expect from Security Degree Programs Information security degree programs are proliferating, but what do they really offer business leaders who are seeking knowledgeable employees? A New Look at the Business of IT Education System administrators increasingly need business savvy in addition to technical skills, and IT training courses must try to keep pace with this trend. Building Staff Competence in Security Practical specifications and guidelines now exist that define necessary knowledge, skills, and competencies for staff members in a range of security positions - from practitioners to managers. Software Security How to Develop More Secure Software - Practices from Thirty Organizations Organizations can benchmark their software security practices against 109 observed activities from 30 organizations. The Power of Fuzz Testing to Reduce Security Vulnerabilities To help identify and eliminate security vulnerabilities, subject all software that you build and buy to fuzz testing. The Role of the CISO in Developing More Secure Software CISOs must leave no room for anyone to deny that they understand what is expected of them when developing secure software. Is There Value in Identifying Software Security "Never Events?" Now may be the time to examine our responsibilities when developing software with known, preventable errors - along with some possible consequences. An Experienced-Based Maturity Model for Software Security Observed practice, represented as a maturity model, can serve as a basis for developing more secure software. Mainstreaming Secure Coding Practices Requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities. Developing Secure Software: Universities as Supply Chain Partners Integrating security into university curricula is one of the key solutions to developing more secure software. How to Start a Secure Software Development Program Software security is accomplished by thinking like an attacker and integrating security practices into your software development lifecycle. Identifying Software Security Requirements Early, Not After the Fact During requirements engineering, software engineers need to think deeply about (and document) how software should behave when under attack. Building More Secure Software Software security is about building better, more defect-free software to reduce vulnerabilities that are targeted by attackers. Threat Building a Malware Analysis Capability Analyzing malware is essential to assess the damage and reduce the impact associated with ongoing infection. Indicators and Controls for Mitigating Insider Threat Technical controls may be effective in helping prevent, detect, and respond to insider crimes. Protect Your Business from Money Mules Organized criminals recruit unsuspecting intermediaries to help steal funds from small businesses. Mitigating Insider Threat: New and Improved Practices 282 cases of actual insider attacks suggest 16 best practices for preventing and detecting insider threat. More Targeted, Sophisticated Attacks: Where to Pay Attention Business leaders need to take action to better mitigate sophisticated social engineering attacks. Getting in Front of Social Engineering Helping your staff learn how to identify social engineering attempts is the first step in thwarting them. Insider Threat and the Software Development Life Cycle Significant insider threat vulnerabilities can be introduced (and mitigated) during all phases of the software development life cycle. Tackling the Growing Botnet Threat Business leaders need to understand the risks to their organizations caused by the proliferation of botnets. Inadvertent Data Disclosure on Peer-to-Peer Networks Peer-to-peer networks are being used today to unintentionally disclose government, commercial, and personal information. Protecting Against Insider Threat The threat of attack from insiders is real and substantial. Insiders have a significant advantage over others who might want to harm an organization. Proactive Remedies for Rising Threats Threats to information security are increasingly stealthy, but they are on the rise and must be mitigated through sound policy and strategy. Trends and Lessons Learned Cyber Security, Safety, and Ethics for the Net Generation Capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs. Tackling Tough Challenges: Insights from CERT's Director Rich Pethia Rich Pethia reflects on CERT's 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. Climate Change: Implications for Information Technology and Security Climate change requires new strategies for dealing with traditional IT and information security risks. Integrating Security Incident Response and e-Discovery Responding to an e-discovery request involves many of the same steps and roles as responding to a security incident. Virtual Communities: Risks and Opportunities When considering whether to conduct business in online, virtual communities, business leaders need to evaluate risks and opportunities. The Human Side of Security Trade-Offs It's easy to think of security as a collection of technologies and tools - but people are the real key to any security effort. Dual Perspectives: A CIO's and CISO's Take on Security Given that you can't secure everything, managing security risk to a "commercially reasonable degree" can lead to the best possible solution. Reducing Security Costs with Standard Configurations: U.S. Government Initiatives Information security costs can be significantly reduced by enforcing standard configurations for widely deployed systems. Real-World Security for Business Leaders Security is not an option - but it may be time to start viewing it as a business enabler, rather than just a cost of doing business. Convergence: Integrating Physical and IT Security Deploying common solutions for physical and IT security is a cost-effective way to reduce risk and save money. IT Infrastructure: Tips for Navigating the Tough Spots Organizations occasionally may need to redefine their IT infrastructures - but to succeed, they must be prepared to handle tricky situations. Evolving Business Models, Threats, and Technologies: A Conversation with CERT's Deputy Director for Technology Business models are evolving. This has challenging implications as security threats become more covert and technologies facilitate information migration. CERT Lessons Learned: A Conversation with Rich Pethia, Director of CERT Learn more about the future of CERT and Rich Pethia's view of the Internet security landscape. Tips from the Trenches: Areas of Practice Why Organizations Need a Secure Domain Name System Use of Domain Name System security extensions can help prevent website hijacking attacks. Controls for Monitoring the Security of Cloud Services Depending on the service model, cloud providers and customers can monitor and implement controls to better protect their sensitive information. Mobile Device Security: Threats, Risks, and Actions to Take Internet-connected mobile devices are becoming increasingly attractive targets. Securing Industrial Control Systems Securing systems that control physical switches, valves, pumps, meters, and manufacturing lines as these systems connect to the internet is critical for service continuity. Using the Facts to Protect Enterprise Networks: CERT's NetSA Team Network defenders and business leaders can use NetSA measures and evidence to better protect their networks. Analyzing Internet Traffic for Better Cyber Situational Awareness Automation, innovation, reaction, and expansion are the foundation for obtaining meaningful network traffic intelligence in today's extended enterprise. The Upside and Downside of Security in the Cloud When considering cloud services, business leaders need to weigh the economic benefits against the security and privacy risks. Concrete Steps for Implementing an Information Security Program A sustainable security program is based on business-aligned strategy, policy, awareness, implementation, monitoring, and remediation. Managing Security Vulnerabilities Based on What Matters Most Determining which security vulnerabilities to address should be based on the importance of the information asset. Connecting the Dots Between IT Operations and Security High performing organizations effectively integrate information security controls into mainstream IT operational processes. The Real Secrets of Incident Management Incident management is not just about technical response. It is a cross-enterprise effort that requires good communication and informed risk management. Crisis Communications During a Security Incident Business leaders need to be prepared to communicate with the media and their staff during a high-profile security incident or crisis. Inside Defense-in-Depth Defense-in-Depth is one path toward enterprise resilience - the ability to withstand threats and failures. The foundational aspects of compliance management and risk management serve as stepping-stones to and supports for other, more technical aspects. Change Management: The Security 'X' Factor In a recent survey of organizations' security posture, one factor separated high performers from the rest of the pack: change management. |
NEWEST CONVERSATIONSConsidering Security and Privacy in the Move to Electronic Health RecordsDecember 20, 2011
Download:
Additional Materials Measuring Operational ResilienceOctober 4, 2011
Download:
Additional Materials Why Organizations Need a Secure Domain Name SystemSeptember 6, 2011
Download:
Additional Materials Controls for Monitoring the Security of Cloud ServicesAugust 2, 2011
Download:
Additional Materials Building a Malware Analysis CapabilityJuly 12, 2011
Download:
Additional Materials Related Course: |
||
Notice
Legal Disclaimer
These podcasts and all related information and materials ("materials") are owned by Carnegie Mellon University. These materials are provided on an "as-is" "as available" basis without any warranties and solely for your personal viewing and use. You agree that Carnegie Mellon is not liable with respect to any material received by you as a result of using the web site on which they reside and/or for any consequences or the use by you of such materials. By viewing, downloading and/or using these materials, you agree that you have read and agree to our terms of use.
Contact Us |
|||
|