Boston BSides - Jim Bowker - We Bought Some Tools -- Now What?

my first time she willna so if I just really started sorry I'm gonna wander by the time the presentation i did with ifc one in the Pilates with six and seven-year-olds don't even oh it's just for you positive age it really didn't know just like how this is different than you know getting whatever class alright so here we go this must be bought some tools now I eat yes principal was it based on conversation I've had with the end of mine they were going to an organization very immature security programs no cable will download some tools and get some free stuff and put so I started some good tools place month you know maybe pop you can expose

to use the skins that LTS so long you know we're good we're going to be securing out this week absolutely that's not quite the way that worms and so my purse you today is I'm going to try to get people just a simple times either starting up the information security program if there isn't much than your current place or are just looking around and seeing what people how is what I have compared to you know put this batter's box without up here and you know people pleaser alright so a little bit about me please jump up in a deeper a bit now of information security flesh that hit or so got degrees inserts and all that garbage stuff but important

takeaway from this is that when i'm at work they say it again he's the security guy i work for a small company so it's not a huge IT department and i get anything out of them and then your desk okay well you're gonna wanna them you know go and talk to the director of your songs with your security team though outside those with me excuse me I have a couple of hardened how you helped me out that's it the reason why you want for a small program you want like Stoke Buddha security diet is so that when there's another request or something there's somebody marketing that wants to use some you to land they're going to put

all their data they say the salesman for poets my museum us lodged up to secure I want them instead to say my response to autumns a fool's you're probably just checked with us appear to die see you know misfits in everything else going on if you get nothing else today the efforts that you make to ensure that folks outside of security are talking to you know new things that's important so any time when security comes up it should be thought through all right be gentle I basically put this together onto my slides last night decided on the last night after that dinner it was wanna do these things are so what we're basically talking about here is a lot of

your most is based around process lots and selling technology so who start talking about framework dr. what I mean by that and how a framework house organize your efforts and portrays your initiatives in a way that makes the makes a lot more sense so I just tell my boss aight i found this cool new tool and it's going to cost 10k 2015 say whatever it is but don't worry be happy cat-backs we should do it because i think it looks really cool he's probably going to say enough is available on the cheap side and it's please my boss but my from come say hey this is the whole program to put together doing this betweenness prioritize Allah Fisk's and

if we can dis we're going to reduce our risk we're going to make this better or we're going to solve on under whatever it is explained the whole thing out and then this is what it's going to cost and reason we're doing this over this is because I played it on love then he's going to be far more likely to listen to my thing there's also plenty of things that you can do that don't possible documentation just is going to cost your time network so if you have your bowl add together when it comes a lot of documentation is done and then you can present that it's going to change people's flow problem reception where is

it just a security person who lots of tools and stuff or is it that we've developed the whole program and our protein to the much more that make sense okay what to do with your boss gives you security chest with a checklist ready magazine three might have this in here because it's happened to me more times than my judgment that Bob's mom playing somewhere he's not a bad guy but we must be pushing care costs and off course we do Wall Street Journal and it's if you have to do these things otherwise just you know the world's gonna come to an end so I mean you drop everything you're doing and fix these five things that's what I've been

there that's all that's important and he's going to take way that as long as he told me that I do something based on that with you everything's gonna be fine he doesn't care about all the things we worked on the Hibiscus shoot how to parent prioritizing worried about my rhythm everything so talk about that we'll talk about security council again this goes to a programs maturity level of security council is not just security people it's that you get a few key users from different areas and you're going to talk about security so one thing you have the kind of slave dump down but communicated in such late at Nantes approval under feel really comfortable and what this gives you is it gives you

mine so if I'm talking to the heads of some of the different practices and someone from the HR department somebody from the finance department where just hasn't okay here so you don't want to be issues that we have to tackle or thinking of tape modify our external consultants and using multi-factor authentication song they don't need to know which over use need to note that why we're doing this and what effect that has everything else this is where I'm gonna get my champion from so when all of a sudden the HR department finds out that okay you know when we fold this out they're going to be too you don't take this little party kocaman put it is

number before they can get to the network tears of the fire we're doing it now i have a champion those persons one communicate that to them someone who is involves discussions and understands this wasn't something just capricious and whimsical decision on my part I will talk about instant response playing just at least to the high level we'll talk about policies which everybody knows lots talk above change management found some basic pro speed and seeing as how this is my first time one of these unfurnished and embrace to the slides men 20th later I'll have those lines in it so like 16 here you already number 37 all right vicious very free market so this is a multi-purpose

document it does a lot of force so it's not that difficult to rightful but it helps you feel is it helps you kind of organize your thoughts and later it will be used to keep to eat your processing line it's as I say hey I'm not going to read everything on the slides the military knows how to read them so it doesn't need to put everything but really should so what I mean by that is don't try the first pass to think of every single possible thing you do in terms of security to try to put it into this one minute thought so when people say hey what do you do for information security you bring up this view the

broward he's got this hot repair okay here's what we do nobody's going to be dead especially nowadays and you know the people of you that have an attention span slightly longer than that they're not going to prepend so the idea is an information security framework contains a brief description somebody things you do and then if they really care to read more about any given month when you go to whatever documentation is there so you might have one item our intentions on rebuilding engine it will tell them that we're basically just a comprehensive we have a front of illuminating program yes and here's what moderately management is in wonderful sentences and if you care to beat any

more about it well if it's government over here so that way if we change something up I would go and change that off and or have to change this um when we have some new things that we start doing that require me just decide the order to implement men okay well we should probably applies with a strategy around so a person is in charge left program goals and okay we're over setting it up where he was dismissed we're gonna talk about process that's when you want to go and add something into a very framework so shouldn't be a big long tortuous country that you eat fairly small few pages where it just covers all of the basic things that

you're doing in terms of suitors though you're not to think of everything ones just put down some things you can think of another living government since as long as you too bad for medication is mentioned here huh blocked out in são joão you get living government one of the advantages to take that process approach with a lot of this but it helps increase your maturity level so by that I don't mean that okay this sounds like was written by a kindergartner it means like cmi capability maturity level models that's worth noting which is a scale that goes along with five once you reach at least 11 3 it means pick your stuff is well thought

interesting ok so before this guy I had

bye before this life clearly I didn't I opened the primary cookies because my notes just in case it didn't work I was life is mom here so but why it is I basically and when the slides available and try to make sure i have my act together enjoy the rank months ago sort of ex lives with 11 cycle it was 12 just be sort of a significant of what a framework document would be this framework Duncan had a larger current section and that was broken down into managerial operational so what I mean by those are material goals are the ones that you know somebody apartment in today we're going to do you know business in this they tend include

things like the main security plan electronic resources plan how you can a physical security to your risk assessment instead of the information security possible when we started what do I have four employees me

because all this stuff is kind of talks pundits your response plan all that stuff operational controls 10 feet ones that are people so what what do I mean by up every year we make our employees signed off on some policies do some basic training here's what they have to do for changing management you know all the things that are items that you tell the people need you need to do this business and what they're physically doing as opposed to the nadir want to extend any much more policy room so it's what we different to their technical ones because they kind of go in the hierarchy technical ones are your hardware and software solutions so you

know we put in multi-factor authentication as a technique be put in n sort of just some random person angle and thunder laptop into the network Genentech split our things into those three categories we start adding them in overtime is fun which is against bigger bigger so then get six months pronounces what do you know what he had in place for an information security program I can't run this one document it's just a few pages long it was the Highlands as opposed to be trying answer that question oh wow you know we do a lot of stuff and I'm trying to think of the top of my head like what things i should say and everything else it's not gonna sound

like you safe yeah here it is right here and you get a far better impression okay Daisy major reason that I put this in here it is one of these steaks that I've seen people make and I'm including that I've done before is that something happens like this you bought picks up magazines with the remaining to be free fall street journal I read the most feature every morning not because I find it hopefully interesting but I know if there's something in it as related to security or risk with something else RM console or make their cio for me to take off you know what are we doing about this to this is the most important

problem right now because i just read it you know it's nothing in the world because we have a lot usually we currently do so i know it saying that you know we should do this but here's what we do instead or we already have this initiative so you want to be a little bit better than variable some of those articles we use ground certainly dealt convince your boss hey yeah you know these five simple steps are going to solve all of your problems and you're not doing an addition it's not quite that simple it was a lot of possible you know II to be here because they just would find a checklist and Peyton I

things on a checklist in what we're good so when if you guys this is anything gonna do this you know whatever happens next that's that's up to you some basic do's and don'ts if you tell your boss does this crap it's not gonna it's not gonna it's not gonna offer for you wanted numbers ah don't say oh yeah that's great I'll take that under advisement and tell by my body language that you know 30 seconds forget this conversation I really don't care whose them don't put you pause and say oh well you know its best and this naturally this is work with it he doesn't want to have a technical argument with you vomit so none of those

approaches really thin to health so but I found it's far more effective to say okay well you know that this is it two different than what we're already doing so we already do a lot of those steps there might be some little God's greatness what i can do is i can take that list and had not prepared to offer currently doing and whatever the deltas are i'll send you love you know some of the changes so the list accomplished is a few things your boss feels like he accomplished something so he's that means going to be a little problem your boss is going to stay home halo this person looks like they're on top of it and one of the reasons why

that perception is important is because not only it's true but generally have your energy to get an unimaginable illness but it's also important because then later on when there's some question where your boss is getting two different stories and he or she have to decide whether or not they're gonna listen what you're saying or what this marketing person is saying because they hope hey both i'm going to take this person's word work because I trust is a hurricane ian because these have been my other experiences in the past I want to start building that rapport with people above you because if you just tell them oh well thats dumb or no that's not what we're doing for you start bagging if i

tell my boss why are you should or shouldn't use nanak getting started to put a value on the wireless network this uncle fluffy kind of isn't even if we lock it down they can do spoil the guests from starbucks and get here he is a one hit up because one thing is not going to understand immediately go on the defensive and it's just not going to end well so instead by doing it this way you still can work on stuff didn't want to that you need to do but it's a little bit of effort on your part and it will help cement their relationship that make sense

all right selecting a security framework um one of the reasons that I put this in here is not necessarily that I really care which framework people use but you should have one and the reason for doing that is that if you don't do people say well you know how are you you know how do you know which direction you're taking things that are teaching them well we're currently blind with da otha so if they from well you know what are we doing about this thing they were fall in this business gamers as opposed to this one now it becomes the discussion of well you know is this greg from framework who should be following something else it makes much more sense

to have some lists that you can show that direction and you're not just making this stuff up as we go there are some easier ones Prince in Sam's Club money what's really nice about Sam's everybody here non Stanford so what's nice about that is its entirety so number one is more important than you know number 20 so start up here you get these basic ones down there yet later you decide to align with the mists into the SP 800-53 it's everything that's in there all the stuff from sams about 20 was still for that so if you've already got the basic stuff your article to be well on your way what's going to more company or people that have to do stuff

in the UK cyprus angeles and if you look up HMG cyber central blah blah blah whatever the stigmas you can find same thing it's very simple list it's even small instead of 10 things it's actually just same time but or anybody that doesn't mean business in the UK they'll want to know how fit you at those five you need Pauls this and stuff list things that directly address those product is everybody happy it's also some bigger ones that this one I really thought few minutes it's a little outline outline just moves faster you kind of beat that whole thing gets if you're having trouble sleeping at night try reading that document and it's and X things once

it's less than intuitive but it is a bit standard and has a lot of things in terms of guideline ISO 27001 i sting about pets games specifically annex a hideous that have images i doesn't been a few it lists all well the 2007 versions electronic very frequent folks is weighing their team just changing around a little bit but basically just shows a list of controls and if you take that list from the annex and you say okay with what do you do for this control what we do for this control even without one for the certification you can sort of use it as a good checklist to see how close you are before it's aligning know so figure how do i need to

soften this is um the soft products on offer fair members ssae 16 in the same things those a genotype of slop is it not socks I can't believe the amount of productivity that has been lost in companies with Isaac's linkedin socket it's locks the two totally different things why on earth they had to put those two names posts I have no idea and it wastes a ton time I wasted per second through this venture talk soon so basically the song it shows that I had a third party come in and I gave them my list of controls whatever those controls are and they judge the effectiveness of those for Moltres tightness on to type one for us on to type 2 would be will

see the effectiveness of those controls or four time periods you have evidence that you did this you say that you do in a quarterly pods of your appear biggie users well you know let me see for this year I expect to see more reports and reviews inside on something all right establishing an information security council so I touched on the slope it to start with this accomplished this mini polls it's a good way to engage the users on your initiative so before you do something that's going to potentially impact the users never guess just how well is going to be received and sometimes the reactions aren't necessarily how you expected so for all our phones of our themes to use that

confuse will be investor spell table if you want to use your phone instead of a company phone and you're going to have manufactured upon it it has to be included in our DM so we're going to solve as ok plus people were part of it then group too AirWatch worked a little better what we doin everything a ton of pushback you might guess why got a lot of pushback on their watch where we'll be really creative on Pez because I said ear of watching it and everybody who push backs at covel are you like a big brother kind of thing are you guys older I don't mean to do I can care less you know that you're sending cat

pictures onto something I just want to make sure of it our email that might be on there and some other stuff I want to make sure they're just put your old bike that device I want to make sure that your font some simple rules I want to make sure that the device is encrypted I want to make sure that you know haven't asked photonic so I can just swipe that unlocking it you know what everyone you wanna um I had no idea that we're gonna go put it back just because it was something with the word watch and everybody soon that was a big brother despite people already haven't been on there which was our previous and the

absolution look this way it is Henry front that I've put security council at first I'm going to notice that right away than people patents reaction maybe instead of saying the name of binoculars visit or changing our MDM solution from this another good thing about the security program by the e Commission's very console matter is that what's a new students practice so but if it's true so when someone's as well oh you know you guys should really have information some pretty fun so it's just one more checklist so if somebody is basing your posture on if you have these things done say yes with that it would be like in your framework document yes so it's just

a information for these guys or is it important it depends how much your questions answers so what way we run the money if my company is we have a few people and there are some of things that are just going to be that economic optional aight i want to let you guys know this is what other ones we stay low we want to do this these are some of the concerns that big users might have or what do you think you guys uses your users would be concerned about so some of them tend to be more democratic approach some of them are more health education so I try to leave the discussions as open as I can for as many

things as I can because you get way better flying in that way you say we're going to do this remember this we're going to do this it doesn't work as well but if you present two solutions to people and one on the left this is this one of the rights of this one isn't one nother month if they read this person a lot of times people are going to pay it's over here those little things you can do to change people's and opinions of things if you ask them to prioritize a list of tasks I'm going to put them in the order most important to least important and has people prioritize this because if I do that there are more

likely to take it in order this closer to this as opposed to flipping it and if you don't believe me just take you know two groups of people flip it for the least important on the conference and as people we found this one before this one so the station can do to influence it's still giving people the ideas that they're finding out letting you find out but the morgue engage they feel the better body that make sense in it keeps the lot of folks happy because everybody wants to see so you want to spend your time on the changes that impact business so if we're going to be in car linux machine we had some old months of work

at five and i'm upgrading to red head sticks we're so i'm not going to focus on that and focus on that work for chanel multi-factor authentication that we're doing other things that are going to impact the users so if it's something that happens in the background that unless we screwed up they're not even enough I'm not gonna bother those all right instead response plan this is important one to have this plane templates out there and everything's we can get something in place it has a basic thing you know read on there that you know it needs to have its purpose you know what the scope of it is when you should invoke it what your

definition is different people have different impressions that up here you want to mention that okay well any incidents go before the information security console oui chef incident moment or so that when you know something happens when people who's the person that's in charge of this you have a response seemed so you want to kind of starts to find all the stuff ahead of time so that when there is that oh moment but ok well what do we do here we already kind of thought of nothing to think of everything my crystal balls been broken for good seven years now but you can at least get part of the way there and people are going to have a

better impression when you better okay well yeah we had this issue blah blah this is the person is in charge of the incident these people have working on it here's our evidence yet will refine gold love it's a lot easier to have that in place ahead of time and try to figure out what you should do what's your mind off of this guy's mom one of the important things we should have in this because when this all kinds of things weren't wrong you don't get me take with very good notes that we study have you running around with my hair on fire butthead here there was something going wrong but yeah isn't Gary template that

says okay mom you know what's the date and time has happened you know who reported the problem who's the person is documenting this you know what's the severity lists have other definitions that you put in the head of terms of people you know decide what was the very ism what steps we've taken in all the other and I go and beat them all over the Kendall's and everybody dirty you should do a conference room pilot at some point which is that you get a few people together from baby news on one of your information security council meeting said okay we're going to test this so let's say is happen you know if so-and-so just reported evasive and

email to remember in the emulation deposition how would we handle and what that does is when you go from magical exercise is there's often some unforeseen things they should expect when a disaster recovery conferencing pilot and you've got everybody together was that okay well it's too distant so we pick the scenario out hands over towards maybe but advanced it okay well this happened oh we need to talk to the facilities guy going to college man in its responding on the line moves kid we call my cell phone we didn't get her cell phone they would call his home phone you get into his home phone not sure why it was a part that day I don't

know if he was a sighting somewhere where every this one okay mall not one guy said well why don't we just pick another scenario I think this happened in real life and we couldn't get in charge we can get in touch with Steve you know what should we do like a we spent the next 15 minutes arguing about who we should call back it was kind of but I was in a position to enclose everybody's a lot of people higher on the routine so I can tell the CEO to really then how about we just talked with a person so we eventually figured out you know who the next person feet and then one of our next steps was that

okay for of all the people who are listed on our bevels of the argument with a lot of Thomas's name if you don't meet this person you know maybe wait the half hour and itself up reaching that you talked to this person if it's this type of issue and are you trying to reach out to him over here this is next person so it was a change with me based on time you want to continually improve this based on observations you made you want to fact your attention is really very keen on scope you can change to this one man you want to let you wanna make sure that everybody knows about policies everybody loves policies right

that's what you get live for me unfortunately they aren't kind of important you can buy guidance and fabrications key areas it enforces your organization's of a profound issues we put together an active shooter policy it's kind of awesome didn't one think about it but after tending and talk we can regard me with the gathers at the time was the head of the Connecticut State Police he mentioned his things in terms of what happened with the whole example how that it was a tough speech to get through because it was obviously tuck frump this even years later he was going to be looking at his news talking different been in talks about this but one of the things that he didn't come on

was they the whole thing city folks over in less than four minutes none of the speed roofers were there by the time they got there the whole thing is over who's done with but nobody you can because they just stopped their disco finding assessments going on so they send people into clear the building and everything else would not be any column is that anybody who went into that building was useless for the next eight days based on what they seem so he lost the temporary you temporarily lost three-quarters of this people anybody that had been exposed to that they they were useless and I think in the end that if I hitherto you know but

it happened on that day I wouldn't even work so things like this you just had even just don't think of those kind of things so it was interesting to get that perspective zone it's important to put policies together figure out you know what do we do with things and it also shows that you have better maturity level beginning for whatever you're doing there's one other thing too much was check with your HR dept legal there's there's two types of policies there's policies that are the capital P policy and create liability for your company so even though it's if you created a working home pulse against it oh you can only work come home if you do

this this in the range for challenger I saw that in the companies working on policy which is a oral facial put in the policy because now you safe okay both people that have kids I'm putting them in a different pocket than everybody else as soon as the HR person saw that is it okay if you take that out I'll be obviously with letting up so there can you just have to be careful when you're right at all since everything else that you want to make sure that your HR legal department can take them up to make sure that it'll be stays on you should also have a central repository for things because you want to just have to be

anything fancy rsb through the sharepoint page and there's a little bit of metadata that has the basin for all of them that they were last review so as soon as it comes close to the date of its been a year something goes through a look and see who the owner is it can sense with that person hey you need to review this again so what are you get in time people look at all our policies you see that they halted recruit or you in the last year

changement the last legs of different ideas you might they do it so i'll see ya hair proof in here on this coffee just i pulled up an older couple my size unfortunately so the first time this is you know why is included here change management really doesn't sound you know milega security well for one especially if you have customers that are regulated industry patient care so if I company we do a lot of long work with banks they are obviously heavily regulated so before they are willing to use our services they want to make sure that our together Terry so if I don't have a mature change management program placement okay here's how we handle

stuff is what's in our production environments here's how it home for the year here here's how we do conservation movies we don't have all those it's going to be a big check mark against us in terms of whether or not they decide that our security standards and are where they need to be and also auditors doesn't care about it not a big fan of auditing clip inside necessarily evil it's going to be here it's not going to go away so so the crucial take away from this legend gets the only ones here if you could see my points the most important one on there would be that it's not the specific tool in methodology it uses its the process if

you have a process in place and that process is documented you have evidence that you follow that process the way that documented that is far more important than which tool we use so if you have a cracking process someone says hey just buy this new tool and all your hopes of itself you can probably fix it if you just take care of the process the operational

I did it's awesome bullets and everything I had comments below but guess not on that one so I didn't see because you hear my witness right there I basically talked about why it's included like clients with care how process is more important software you looking for process communication all right all right vulnerability management to stuff like that might be one of these don't do the slides the night before maybe give myself with more runway mess it up what a building management is another light on a mission being that mainframe we're talking to talk about but it should also definitely this is one of the first ones it needs to happen to dedicate that because but are duly

scanning knows what that is environmental management harnesses love the same things so for a while before i started the company mmm they had armful of skinning place great so when I can i call ya can you show me their equipment yeah i think we never put here and I saw this mailbox where they had been sending amelie and apparently for the past 18 months every month if emailed this report this mailbox that nobody really looked at and their ports never changed because gaming and it had hundreds of our village listed but so they were too abundantly scanning we could check about you know that checkbox our foods nomination okay let's look at the ones that are we'll just start it really

basic sort of icds esco okay so all these ones that we have better tens that are on external systems that our system really care about how about we start working on loans first so we took care of those did you knock out some of the high-risk one some of the lowest ones away as well and then once we finish that we read the same skin again to make sure that they need went away there is no pain now that goes the fun way what are the next highest and then we just list and then we put together a management document that kind of listed on that's what we do so I would say that a good funding management process is

even more important than having a good tool it's great type of the coop definitely should have one there but if all things being equal to process and to talk about finding vulnerabilities prioritize based on NASA criticality how it supports on things some people take any private either publicly expertly either a year but it's a one-in-a-million thing to be able to work this one anybody who has a copy of metasploit can you know wanted like that there's also some benefit to change the scanners every few years so fun that we were using connivance mention those under because there's no two tools are going to scan get exactly ed one tool thanks for looking pretty welcome went

to another tool and it immediately found that we had a alta password on a draft card for certain told them you know this can't possibly even you know scanning this couldn't possibly have this so i looked at it said it was on a certain server so well the track power tools aren't used to it it's just um it's remote access card so difficult are hanged up and it's a dolly reported this card so in approval I know what the password was record button up which that server I design under the driver riku Deckard with all these things I Camilla server that I should have no access to the screenshot of it sent it to one of our sysadmin since I hate

should I be able to see this and what happens if i click this fun speed-wise aspas so he freaked out about a little bit and clear didn't short understand phrasal it is a good idea to change every once a while because of just because they're not always going to catch the same thing some buttons are these scanners are really going to care about ssl stuff other ones are really going to care about you know some older tool so i'm switching everyone's why he's doing better chance okay housekeeping they'll get a lot of this comes down to the process it's really a good idea to list out what you should do monthly quarterly and if you can't right

now point me to a playwriting what are all the security related things that you guys do what's important now everybody knows kind of a little bit i do this like this and you know Susie doesn't saw the bank into it there should be a list that says for security blade items here's a list of everything you cordially here's where they are in 15 evidence of where it was done last order because what happens is over time there's some requiring oh you need to be reviewing this list quarterly wait that was a neat it's okay where are you on slide 14 so i'll just have to verify you know that's why I headaches it right over here okay

all right on it is if you have a list then when you get some new requirement and who you have to start doing this quarterly and then this person was one quarter and then we forget about it and then a year goes by and then the client that asking that says we need to do this Alison you're scrambling because you have no inning bottom boat lifts that you've actually been do it when you say and the personal creations what may be done for another job and when is job transitioning it's like oh by the way you have to do this in two months so again if you have a process and you have some lists where you have all these

items then it becomes really easy to when you get into one you just add it to the same lesson again we put ours in the simples sharepoint page if you pick the drop down load it shows that it's importantly it looks the last time it was done as 13 and 90 days in once sisty changes based on that one that I did was ripped hey you need to do this one again it's what everyone smile on that page requires the four bugs that need to do it I can see whether or not things are done in which things will work it up up it also provides interpreting the mechanism for this printer the idea for

this register is conquered check the fridge which is the set of transactions over you're walking down the hall lane ok this is intriguing he did you know that on the 25th floor I know you never go of their vision with your buddies with people on the floor there the purpose you don't like but it hosts if your problem is sort of the midnight you shouldn't give you enough so i think the walkway just kind of realize you know worth it I've I should add that so I'll add that as one of the items to the risk factor for me you know we have this problem where people tend to do this because mocking solid right in there

there's a lot of problems that we just end up in my room ah you know then the people at night you know this guy who always tailgates because he never remember that so rather than just did hire the problems i'm going to list it in there put in whether this is you know a critical thing but it's a look okay today market something that I'm not too worried about who really needs to take care of this and then what pays it is sometimes just identified by a whole bunch of identify things to my whispering things identify to have them anything with I don't think they're going to forget about it or is it something that I'm actively working on

the be meeting or husband completed what's this one thing if I'm right there it drops off that list but I still have a separate view magazine okay these are all the risk that we identified in part it's not that hard to put together if you require some really complicated to Auburn very high chair funding to being simple patient can become so you can put this whole thing you know what a misc assessment we currently do those it those are kind of important right so you know what do I do now well look at what we already have in place if you don't have a risk assessment it's kind of an important thing that we should have um

otherwise we're already doing it we'll just add it to the fragrant document but it gave you a list assessments and here's how we ba ba this is what we need to remediate these are the people that care about it all it's them so you put a me together that says what you do for risk assessment where the copy is emphatic assessment you add an item into that frame are fun so at this point we're putting on sensitivity so if you start to publish to get a lot more organized and then next time they ask me what we do for security one of the items is going to get our under control is that what it was a name that now we

have a mature well defined for people process look at that we made it through I was talking to do it in like 45 minutes under contract so me stay with anybody any questions yes you were saying like sometimes if you have clients who retired if you have certain policy itself so do you have like a general letter or smaller list of your policy for will you give them a cocky little pulses or do you just sort of give them a check box yes we do so the short answer is it depends largely answer is that I keep two pages vitual list of our policies one that shows our public policies that everybody cares about on the eight hrs items because our

employees fear about work from Allah sick time benefits do other things maybe one or two of the security really wants invader list that's the ones that tend to be more IT focus that only certain people in nineteen careful so what we do come on management key management stuff like that the average person Suzie Natalia does not care about how I handle not Richie so we keep all these in a separate kinda in addition to that we make sure that they're all standardized which one has the same kind of header so I and then also in terms of what not willing to give to find some of them just want to know when yes or no

other ones they want a little boring answer so one thing that I've had a fun way the future their excessive simply spreadsheet I answer all the questions and they try to just put little answers to whatever application they have something on the answer but each policy found a statement that basically references it you're happy i won say well I want to see your incident was constantly so talk to the absolutely not there's no way we're going to share that we have four tidings of Paola ok so we reach the evenings for now editions kind of knife isn't responsible in every time we make a change to it I take the first two pages title page their vision page the

table of contents and the furnace only goes up that fires feels like a person or five pages I take a PDF of that men keep their zone they say we need to see if it's in response well we can't share them what i can do is give you the snippet that shows the first few pages so they look at it in the table contents you can see all the sections even know if i'm giving away too far in terms of exactly what we do that's enough to make you happy yes ok they have oh it's a responsibility tell that it's you know put out I can tell it as a template i can see it they have a post-mortem

sexually i really care about ok good so usually that combinations yes if I'm that worked a lot of things and you deal with their regulators there the wirings whether there's an interaction ok so yeah nice to their hopefully regulated so one of the things that give if your bank and have all this data and you want to put in like 88 is it a terabyte of data and I want you guys to analyze this and figure out what we're doing with this and then you'll Phillips pops of money on top of the great based on you know you're finding lots of before you have to get to the security system because one of their pockets that they

will have is be properly that third point so I have a kind of common list of things that we know that they're going to ask the word about everybody asks for the exact same things but it's been followed in a certain category so a lot are going to ask about my incident response plan as we loaded dr plan that's what i do in terms of all informations agree again if you have that one very much document that goes a long way because that's not 28 in specifics so I still usually build most of the expectations that the bank would have by having those documents without giving away on the eternal confidential information that area it's almost Alaska

efficiently copy of your last pendant or your lady's modern release no no because if I give you that what a basic thing you would say if you want to have this this is exactly where you should go so no I'm not going to what it will share with you is that ok um here's our latest mediation report these are abilities you're on this dating this was their aging it's what we did to remediate them so you know that we have a plan together and i'll give the vulnerability management but i'm going to i'm not going to go and show you a copy of our latest pentester latest because I don't want anybody say okay what the one that

is this an executive agency so I run a question ed around security awareness your treatment is a few things on what we found for secure to listen to things on fishing nobody wants to listen to me apparently um so rather than just really boring training their first examples is officially more appropriate fish me which is great if you put together this simple vision campaign it goes off to everybody okay click on here to give me bonds or whatever somebody clicks on something they shouldn't and it breaks up a training page that's branded with our goal goals as my name on it so that they know that this is something which is this was the fishing exercise here's

how you should have known that it wasn't something to look at the email address it's the wrong it says you know this club when you mouse over it actually as entirely different URL we're better than this in grammar you know whatever the piece so we'll find out all the things that are wrong with it and the first few people that report it as fishing expensive about nice info my signature on a free to all the one what attached to speech missions and makes it into the first five people don't realize it's a problem and that has worked far better our initial rates with when people click on a fish to stagnate so that means that one out of

every three is going to fall for something stupid if something that leads it to that person now we're down into the single digits so that's not worked out pretty well the other thing is your training resistance urged as they pierce everything I know about fishing and I'm going to try to tell that to everybody you don't want to know everything so for any given subject which one take two or three senses I probably say two sentences to everybody about this subject whatever it is you know public Wi-Fi fishing whatever it is get two sentences and then on a creative way to get those two sentences of information okay you know whatever we need really simple cartoon characters so we have a

dodo bird good try to picture me go to work and if the bottom of pages is Dunkey photo and now once a month we send out some kind of training that's on something again very very line and at the bottom which one it says don't you go to and people have bought that and you'd be surprised over time not only do they recognize now that they're kind of getting all of those trainings together but it's very simple training short you don't want to hear it very simple and you're better off having a higher higher inception waiting for one of your senses over sent me yes perfectly