INTERFACE Portland
Presented by Chaney Edwards, Sr Security Solutions Engineer • Rapid7
We will begin focusing on building a framework that we will dive into the elements of in greater detail later in the presentation. These elements will be:
- Know your leadership, user base, regulations, and requirements
- Building policy and procedures
- Scan scheduling, design, and validation
- Remediation and exception processes
- Validation of program
- Flexibility and the OODA loop
We will start by focusing on the importance of knowing your leadership, user base, regulations, and requirements –– and ensuring others know that Leadership and Management buy-in is critical to the success of the program. We will talk about how to interact with your user base and what you should communicate with those individuals. We will also touch on how regulations and business requirements will play a part in your program design as well. Next, we will spend time on building policy and procedures and understanding the hierarchy and differences around Information Security Policy vs. Guidelines vs. Procedures.
From there we will shift gears and focus on scan scheduling, design, and validation of the scans in place. While many feel this is the most important part of a program, getting the data is the least important part of the whole process and we will discuss why that is. We will cover topics including scan frequency, targets, and validation. We will touch on the benefits of tagging, the use of agents, and reporting. The focus will be that there is no "right way" to scan and rather several considerations to guide you to what is right for you and your environment. We will also discuss remediation methods and how to track said remediations. With any remediation process, exceptions will occur, and we will touch on best practices for not only accepting that risk into your environment but curating that list for a continual review.
Finally, we will discuss program validation, flexibility, and the OODA loop (Observer, Orient, Decide, Act) and how where you are on day one in your program will inevitably change over time. For validation we will cover reporting not only to leadership but to internal stakeholders like security and governance programs, but also the user base as well. We will discuss topics requiring your program to be flexible like new assets, mergers and acquisitions, new projects, leadership changes, and more. Leveraging the OODA loop we will discuss processes to help tackle these changes and ensure your program can survive an ever-changing landscape.
The session will then end with a live Q&A to discuss any topics had or to field any thoughts on the matter to garner a collaborative end to the talk and allow for audience participation.