We (OWASP NZ Chch) have the privilege of hosting Drewe Hinkley taking us through an informative and eye opening session on the following:
Popular culture has stereotyped information security as a realm of acronyms, mystery and caffeine.
Television shows such as CSI:Cyber, NCIS and Legends lead many to believe that unless you have dedicated laboratory’s full of equipment with unpronounceable names and analysts who can type faster than a concert pianist, then they are at the complete and utter mercy of legions of “Hackers”. Often, this is what inspires many newcomers to our industry – under false pretenses.
Reality on the other hand, shows that information security is a balance of controls and methods, often very mundane, which when implemented correctly can be easy to manage and highly effective.
In “Setting the Scene”, we will look into the ground work that needs to be implemented as the first step of any successful information security program. Before the “technical” is even considered, before a firewall is activated, before a host intrusion system is installed, let’s start at the beginning – as a real world business.
What are we securing? Defining the difference between information, critical information, confidential and proprietary information, payment card industry information and personal identifiable information.
How are we securing? User access controls, physical security, environmental security, business continuity and disaster recovery (yes – there is a difference!) and operational management
We will discuss all of the items that relate to securing and protecting information that do not involve flash technical wizardry – and by the way – it is often these mundane items that are the cause of a “security breach”, not a energy drink loaded hacker!
Drewe Hinkley (CISSP) has over 5 years experience in the Information and Communication Technology industry, working first as an Area Systems Specialist for an international hotel chain as New South Wales state IT Manager, and 2IC for Australia, before progressing into an Asia Pacific Regional role as a Consultant – Governance and Risk Management, acting as a lead contact for many external information security and PCI DSS audits.