CISO Bootcamp Recap: Infrastructure Security

0
548

Marc French, Senior Vice President & Chief Trust Officer at Mimecast, led the second of our CISO bootcamp series. This session focused on infrastructure security. Marc kicked off the discussion with his definition of infrastructure security: the application of security designs and controls to IT/technology gear.

The discussion that followed led to a list of strategy recommendations that should be considered in the design of an infrastructure security plan:

  • Asset Management – This is the most critical: from hardware to cloud to IP addresses and domain registrations, a CISO must be aware of all company assets.
  • Networking– There are many networking designs, pick one and stick with it. Start with your perimeter and wireless; next account for gear and networking services, including email.
  • Identity and Asset Management – If your adversary gets access to IAM, they have access to everything. Identification keys, authentication, and privileged access are crucial.
  • Auditing – Have a log collection and manage it.
  • Endpoint – Account for more than just laptops and towers. It’s about BYOD, Bluetooth speakers, connected lighting, and anything else that runs through your network.
  • Cryptography – Generate certification keys and manage the lifecycle of those keys
  • Business Continuity/Disaster Recovery – Have backups and resiliency plans on site and in the cloud.
  • Testing – Bring in outside specialists to attack your teams. Create teams internally that both attack and defend. If possible, do this twice per year.
  • Team Considerations – Understand team structures and how they work.

For more information on upcoming CISO boot camps click below.