Artwork

Content provided by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Player FM - Podcast App
Go offline with the Player FM app!

Episode 95: Episode 203 - Evaluating Your Security Program: Threat Mapping

24:11
 
Share
 

Archived series ("Inactive feed" status)

When? This feed was archived on October 02, 2020 00:10 (4y ago). Last successful fetch was on July 03, 2019 15:18 (5y ago)

Why? Inactive feed status. Our servers were unable to retrieve a valid podcast feed for a sustained period.

What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.

Manage episode 197973508 series 12330
Content provided by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Show Notes

Episode 203 - Evaluating Your Security Program: Threat Mapping

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”. It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are
      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify

  continue reading

105 episodes

Artwork
iconShare
 

Archived series ("Inactive feed" status)

When? This feed was archived on October 02, 2020 00:10 (4y ago). Last successful fetch was on July 03, 2019 15:18 (5y ago)

Why? Inactive feed status. Our servers were unable to retrieve a valid podcast feed for a sustained period.

What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.

Manage episode 197973508 series 12330
Content provided by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Show Notes

Episode 203 - Evaluating Your Security Program: Threat Mapping

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”. It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are
      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify

  continue reading

105 episodes

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Quick Reference Guide