Marc French, Senior Vice President & Chief Trust Officer at Mimecast, led the second of our CISO bootcamp series. This session focused on infrastructure security. Marc kicked off the discussion with his definition of infrastructure security: the application of security designs and controls to IT/technology gear.
The discussion that followed led to a list of strategy recommendations that should be considered in the design of an infrastructure security plan:
- Asset Management – This is the most critical: from hardware to cloud to IP addresses and domain registrations, a CISO must be aware of all company assets.
- Networking– There are many networking designs, pick one and stick with it. Start with your perimeter and wireless; next account for gear and networking services, including email.
- Identity and Asset Management – If your adversary gets access to IAM, they have access to everything. Identification keys, authentication, and privileged access are crucial.
- Auditing – Have a log collection and manage it.
- Endpoint – Account for more than just laptops and towers. It’s about BYOD, Bluetooth speakers, connected lighting, and anything else that runs through your network.
- Cryptography – Generate certification keys and manage the lifecycle of those keys
- Business Continuity/Disaster Recovery – Have backups and resiliency plans on site and in the cloud.
- Testing – Bring in outside specialists to attack your teams. Create teams internally that both attack and defend. If possible, do this twice per year.
- Team Considerations – Understand team structures and how they work.
For more information on upcoming CISO boot camps click below.