Upload
francis-whitehead
View
219
Download
2
Tags:
Embed Size (px)
Citation preview
Defending the Digital FrontierAn Overview
Mark W. DollAmericas Director, Digital Security ServicesErnst & Young LLP
Rudy Giuliani’s call to actionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream, business-critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
Additional legislative requirements
California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.
California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.
The Security Frontier
ProductivityImprovement/Increased RiskReliance on IT
Impact of Failure
High
LowLow High
IT UsageProbability of Failure
1970s 1980s 1990s 2000s
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.
The Digital Security Gap
Caught up in the pursuit of productivity improvements, management apparently overlooked security.
TotalSpending
High
Low
1990’s 2000’sTime
Total Security Spending
Total IT Spending
DigitalSecurity
Gap
6 Key Security Characteristics
1) Aligned digital securityBusiness
Objectives
Aligned
The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives.
The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the security team is known as the Security Management Gap.
The distance between the top levels of management and the security team is known as the Security Management Gap.
79% of respondents in the 2002 Ernst & Young Digital Security Overview survey
indicated that the documentation, implementation and follow-through cycle for their information security policies was not
being carried out completely.
Information Technology Organization
DigitalAssets
DigitalSecurity
2) Enterprise-wide digital security
Corporate
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.
86% of companies surveyed have intrusion detection systems in place.
However, of those companies, only 35% actively monitor 95% to 100% of their
critical servers for intrusions.
3) Continuous digital security
Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities.
Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities.
Not occasionally. Not periodically.
Continuously.Continuously.
46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
4) Proactive digital security
Initial AssessmentOngoing Monitoring
Periodic Assessment
High
RiskIntelligence
LowTime
Proactive
Traditional
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally.
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally.
Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities
5) Validated digital security
Peer
3rd Party
Self
To a Unit To a Business Objective
To a Standard
Rigor of Validation
Deployed
Validated
Tested
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria or other recognized models.
6) Formal digital security
Doc
umen
ted
Minimally HighlyConfirmed
Min
imal
lyH
ighl
y
Documented
Formal
Experienced-
basedSitu
ational
Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.
Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.
13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
Executive management must understand
Scenario-based simulations: Table-top exercises
The organization’s response
Critical roles and responsibilities
Action plans to minimize the effect of an incident
Monitor and test responses
Model and define riskEstablish consistent threat categories
Digital Impact/Risk
Risk toCustomer Segment
Risk to MultipleCustomers
Chronic or Seriesof Inefficiencies
Core Process orSystem Shutdown
TacticalInefficiencies
Dept. of HomelandSecurity Risk
Severe
High
Elevated
Guarded
Low1
2
3
4
5
Green
Blue
Yellow
Orange
Red
Homeland
LevelCategory
Level
The fulcrum of control
Impact of Occurrence
High
LowLow High
Frequency of Occurrence
5
4
3
1
ImmediateAction
ROIDecision
Fulcrum of C
ontrol
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
2
Manage risk for a competitive advantage
Impact of Occurrence
High
Low
Low HighFrequency of Occurrence
1
2
3
4
5
Company A
Industry
Maintaining digital availability when your competitors in your industry fail is critical for most companies’ long-term success
Highly effective security cultures:are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.
The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.
For more information…
Mark DollAmericas Director,
Digital Security ServicesErnst & Young LLP
212-773-1265Or
Web site: ey.com/securitySecurity Info-line: 888-706-2600
Mark DollAmericas Director,
Digital Security ServicesErnst & Young LLP
212-773-1265Or
Web site: ey.com/securitySecurity Info-line: 888-706-2600