CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Prioritizing Processes and Controls for Effective and Measurable Security

Gene Kim - Tripwire, Inc

Sep 20, 2006

Size: 221.4MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

Are your security & IT controls really effective? Do you know how your security & IT operations compare to high performers?

In this presentation, Gene Kim will share the work he has been doing over the last six years with the IT Process Institute (ITPI), Software Engineering Institute, and Institute of Internal Auditors, codifying the observed practices of high-performing IT organizations. These high performers have a culture of change management, a culture of causality and a perpetual desire to detect variance before it causes a catastrophic event.

Specifically, Gene will discuss the ITPI IT Controls Benchmarking Survey of practice, a recently completed research project which has quantified the value, effectiveness, efficiency and security of controls. This landmark research has uncovered an alternative approach to being an effective security executive, based on measuring security by its ability to maintain its existing commitments; integrate controls into daily IT operations (prevent); put automated controls in place to variance before loss events (detect); reduce the percent of security incidents that result in loss events (detect); and successfully investigate and conclude security investigations.

Attendees will learn about the key research findings:
* That high performers have 5-8x higher operational and security
effectiveness and efficiency measures
* The 20% of IT controls that have 80% of the measurable benefits, and
how to implement and the prescriptive steps to take in order to achieve
defined security results
* The certain processes and controls that have shown catalytic and
sustaining properties, meaning that the value they add demonstrably
exceeds the cost to implement, and report out on them.

About the Speaker

Gene Kim is the CTO and founder of Tripwire, Inc. In 1992, he
co-authored Tripwire while at Purdue University with Dr. Gene Spafford.
Since then, Tripwire has been adopted by more than 5,000 enterprises
worldwide. In 2004, Kim co-founded the IT Process Institute, which is
dedicated to research, benchmarking and developing prescriptive guidance
for IT operations and security management and auditors. He also
co-authored the "Visible Ops Handbook: Implementing ITIL in Four
Practical And Auditable Steps" and was a principal investigator on the
IT Controls Performance Study project, completed in 2006 Kim currently
serves on the Advanced Technology Committee for the Institute of
Internal Auditors, and was part of the team that defined change
management best practices for the recently released IIA Global
Technology Guide "Change and Patch Management Controls: Critical for
Organizational Success."

Since 1999, Kim has been working with SANS, the Software Engineering
Institute and the IIA to capture how "best in class" organizations have
IT operations, security, management, governance and audit working
together to solve common business objectives. Kim holds a M.S. in
computer science from University of Arizona and a B.S. in computer
sciences from Purdue University. Gene is certified on both IT
management and audit processes, possessing both ITIL Foundations and
CISA certifications.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.