Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Defending the Digital FrontierDefending the Digital Frontier
Rudy Giuliani’s Call to ActionRudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided
The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided
2
mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
Digital Security Breach:The True CostDigital Security Breach:The True Cost
Cost$15 to $20 million
or 1% to 1.5% of Sales per Incident
TangibleLossesTangibleLosses
IntangibleLosses
IntangibleLosses
3
LossesLosses LossesLosses
• Lost Productivity• IT Support Costs• IT systems/software
• Damage to Brand• Third party liability• Loss of customer/
supplier confidence
The greatest loss as a result of an IT security breach is the intangible impact
The greatest loss as a result of an IT security breach is the intangible impact
Security drivers in Today’s complex environmentSecurity drivers in Today’s complex environment
Eco
no
mic D
rivers
HIPAAGLBSarbanes OxleyPatriot ActHomeland Security Act
ROIRiskProfits
Homeland SecurityShareholder ValueProductivity
BS7799CBCPCISSP
4
Industry/Regulatory GroupsIndustry/Regulatory Groups StandardsStandards
Co
mp
lex
Tech
no
log
ies
ISO 17799ITILSANS/GIAC
Security ManagementNetwork ManagementOperational IntegrityManaged Security Services
AuthenticationAuthorizationAdministrationEncryptionFirewall/VPN
BAIDOCDOTFDICFederal ReserveFEIFFIEC
FSISACInfraguardISACAISF
ISSANCUANIST
Multiple Drivers Are Bringing Digital Security to the BoardroomMultiple Drivers Are Bringing Digital Security to the Boardroom
Privacy/Fraud(CA1386, GLB, HIPAA)
Homeland Defense(Homeland Security Act, USA Patriot Act)
Triple Witching Event
5
Sarbanes-Oxley
IT Executives are increasingly focused on controlsIT Executives are increasingly focused on controls
ImprovingFunction
ImprovingFunction
ImprovingControl
ImprovingControl
HIPAA
Sarbanes-Oxley
Homeland Security
6
• Feature• Productivity• Reliability
• Security• Predictability• Stability
Technical Advances & Increasing Regulation
What is the Digital Frontier?What is the Digital Frontier?
The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
HighHigh
ProductivityProductivityMobileMobile
7
Relianceon IT
Relianceon IT
LowLowLowLow HighHighIT UsageIT Usage
ProductivityImprovementProductivityImprovement
MobileMobile
InternetInternet
Client/ServerClient/Server
1970s1970s 1980s1980s 1990s1990s 2000s2000s
MFMF
Increase Security RisksIncrease Security Risks
As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
HighHigh
MobileMobile
8
LowLowLowLow HighHigh
1970s1970s 1980s1980s 1990s1990s 2000s2000s
MobileMobile
InternetInternet
Client/ServerClient/Server
MFMF
Impact of Failure
Impact of Failure
Increased Risk
Increased Risk
Probability of Failure
Probability of Failure
The Security FrontierThe Security Frontier
ProductivityImprovement/Productivity
Improvement/
HighHigh
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.
9
Improvement/Increased RiskImprovement/Increased RiskReliance on IT
Impact of FailureReliance on IT
Impact of Failure
LowLowLowLow HighHighIT Usage
Probability of FailureIT Usage
Probability of Failure
1970s1970s 1980s1980s 1990s1990s 2000s2000s
The Digital Security GapThe Digital Security Gap
Caught up in the pursuit of productivity improvements, management apparently overlooked security.Caught up in the pursuit of productivity improvements, management apparently overlooked security.
HighHigh
Digital
10
TotalSpending
TotalSpending
LowLow
1990’s1990’s 2000’s2000’sTimeTime
DigitalSecurity
Gap
6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics
11
1) Aligned1) Aligned
BusinessObjectivesBusiness
Objectives
DigitalAssetsDigitalAssets A
lignedA
ligned
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the
12
ITOrganization
ITOrganization
DigitalSecurityDigital
Security
Aligned
Aligned
levels of management and the security team is known as theSecurity Management GapSecurity Management GapSecurity Management GapSecurity Management Gap....
79% of respondents in the 2002 Ernst & Young Digital
Security Overview survey indicated that the
documentation, implementation, and follow-through cycle
for their information security policies was not being carried
out completely.
2) Enterprise-Wide2) Enterprise-Wide
CorporateCorporate
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authorityauthorityauthorityauthority is given to a centralized body to ensure consistently highly
13
CorporateCorporateensure consistently highly effective security throughout the organization.
86% of companies surveyed have intrusion
detection systems in place. However, of those
companies, only 35% actively monitor 95% to
100% of their critical servers for intrusions.
3) Continuous3) Continuous
Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
46% of respondents indicated that they use manual
Not occasionally. Not periodically.
Continuously.Continuously.
14
46% of respondents indicated that they use manual
or partially automated methods of tracking physical
assets as opposed to fully automated methods.
Continuously.Continuously.
4) Proactive4) Proactive
Initial AssessmentInitial AssessmentOngoing MonitoringOngoing Monitoring
Periodic AssessmentPeriodic Assessment
HighHigh
RiskIntelligence
RiskIntelligence
ProactiveProactive
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.
15
IntelligenceIntelligence
LowLowTimeTime
TraditionalTraditionalOnly 16% percent of respondents have
wide-scale deployment of vulnerability
tracking mechanism, and knowledge of all
critical information vulnerabilities.
5) Validated5) Validated
PeerPeer
3rd Party3rd Party
SelfSelf
ValidatedValidated
TestedTested
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
16
To a UnitTo a Unit
To a Business Objective
To a Business Objective
To a Standard
To a Standard
Rigor of ValidationRigor of Validation
DeployedDeployed66% of respondents indicated that their
information security policies are not in complete
compliance with the domains defined by ISO
17799, CISSP, Common Criteria, or other
recognized models.
6) Formal6) Formal
Doc
umen
ted
Doc
umen
ted
Min
imal
lyM
inim
ally
Hig
hly
Hig
hly
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every
17
Doc
umen
ted
Doc
umen
ted
MinimallyMinimally HighlyHighlyConfirmedConfirmed
Min
imal
lyM
inim
ally
then communicated to every member of the organization.
13% of respondents have integrated
business continuity and disaster recovery
plans that address recovering the entire
enterprise. 7% indicated they have no
documented plans in place.
Technology and Business Objective Drives RequirementsTechnology and Business Objective Drives Requirements
ImpactImpact
HighHighSecurity Requirements ZonesSecurity Requirements Zones
Managed Risk ZoneManaged Risk Zone
Trusted System ZoneTrusted System Zone
Bank ATMBank ATM Health CareSystem
Health CareSystem Financial
SystemFinancialSystem
ElectricalElectrical
18
ImpactImpact
LowLow
LowLow HighHighProbability of FailureProbability of Failure
Minimum Standards Zone
InformationKiosk
ElectricalPower
ElectricalPower
eCommerceSystem
eCommerceSystem
PublicWeb Server
PublicWeb Server
EmailServerEmailServer
The Security AgendaThe Security AgendaThe Security AgendaThe Security Agenda
19
9 Strategic Areas of “The Security Agenda”9 Strategic Areas of “The Security Agenda”
SecuritySecurity
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Asset & Service Management
Vulnerability Management
Entitlement Management
Asset & Service Management
Vulnerability Management
Entitlement Management
20
SecurityStrategySecurityStrategy
Physical Security
Privacy
Physical Security
Privacy
Business ContinuityBusiness Continuity
Complex Organizational TransformationComplex Organizational Transformation
All 3 Components
21
TECHNOLOGYTECHNOLOGY
Components Needed
Intrusion
and Virus
Intrusion
and Virus
DatabaseDatabase
RouterRouterBiometricsBiometrics
ApplicationApplication
Operating
System
Operating
System
Intrusion and Virus DetectionIntrusion and Virus Detection
22
and Virus
Detection
and Virus
Detection
RouterRouter
FirewallFirewall
Web
Server
Web
Server
SNMPSNMP
BiometricsBiometrics
IncidentResponseIncident
ResponseMobilize AdministerEventEvent ProgramProgram
Incident ResponseIncident Response
23
ResponseProgram
ResponseProgram
Mobilize AdministerEvent
Lifecycle
Event
Lifecycle
Program
Lifecycle
Program
Lifecycle
Ongoing MonitoringRe-certification
Ongoing MonitoringRe-certification
Stakeholder Expectations
Legislation Organization
Stakeholder Expectations
Legislation Organization
Benchmarking/RoadmapsPeoplePolicies
OperationsTechnology
Benchmarking/RoadmapsPeoplePolicies
OperationsTechnology
MAINTAINMAINTAINBASELINEBASELINE
PrivacyPrivacy
24
Independent VerificationService Provider ComplianceData Registration
Independent VerificationService Provider ComplianceData Registration
Remediation Plans Training
Remediation Plans Training
VERIFYVERIFY
IMPROVEIMPROVE
DIAGNOSEDIAGNOSE
Policies, StandardsPolicies,
Standards
Policies, Standards, and GuidelinesPolicies, Standards, and Guidelines
25
Standardsand Guidelines
Standardsand Guidelines
Physical SecurityPhysical Security
PHYSICALSECURITY
26
SECURITY
Fences, Walls, GatesGuards, Cameras
Structural
Management and Track Assets
Automate Processes
ASSETASSET
Asset & Service ManagementAsset & Service Management
27
TECHNOLOGYTECHNOLOGY
ASSET
MANAGEMENT
ASSET
MANAGEMENT
CFOTeamCFOTeam
IT AuditTeam
IT AuditTeam
AccountabilityAccountability
DeploymentDeployment
KnowledgeKnowledge
KeyAssetsTeam
KeyAssetsTeam
KeyAssetsTeam
KeyAssetsTeam
Compliance Audit Ability
Governance and Accountability
Compliance Audit Ability
Governance and Accountability
All CriticalInfrastructureAll CriticalInfrastructure
Workflow/TrackingFeasible DeploymentKnow Critical Assets
Workflow/TrackingFeasible DeploymentKnow Critical Assets
Serve andProtect SystemsServe andProtect Systems
Vulnerability ManagementVulnerability Management
28
IT ProcessIT Process
Expanding controlExpanding control
CIOTeamCIO
Team
SecurityTeam
SecurityTeam
KnowledgeKnowledge
Expanding scope over critical infrastructureExpanding scope over critical infrastructure
Technology & PeopleTechnology & People
KeyAssetsTeam
KeyAssetsTeam
SecuritySystems
Team
SecuritySystems
Team
KeyAssetsTeam
KeyAssetsTeam
ConfigurationsPolicies
Alerts
ConfigurationsPolicies
Alerts
JustProtectSystems
JustProtectSystems
EntitlementEntitlement
Identity
Management
Identity
Management
Access
Management
Access
Management
Secure PortalsSecure Portals Single Sign-OnSingle Sign-On
Entitlement ManagementEntitlement Management
29
Entitlement
Management
Entitlement
ManagementSecure Portals
Data Model
Metadirectory
Authentication Management
Secure Portals
Data Model
Metadirectory
Authentication Management
Single Sign-On
Access Control
User Management
Policy Management
Single Sign-On
Access Control
User Management
Policy Management
Business
Continuity
Roadmap
Business
Continuity
Roadmap
Business
Impact
Assessment
Business
Impact
Assessment
Threat
and Risk
Threat
and Risk Recovery
Strategies
Recovery
Strategies
Business ContinuityBusiness Continuity
30
and Risk
Assessment
and Risk
Assessment StrategiesStrategies
Business
Continuity
Plan
Business
Continuity
Plan
Plan
Maintenance
Program
Plan
Maintenance
Program
A Scorecard for Evaluation & ActionA Scorecard for Evaluation & Action
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
31
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
High RiskHigh Risk Medium RiskMedium Risk Low Risk
Service ManagementService Management
C E OC E O
Public, Media,Government Relations
Public, Media,Government Relations Security CommitteeSecurity Committee
Security OfficerSecurity OfficerAsset ManagementAsset ManagementPhysical SecurityPhysical Security
Continuity PlanningContinuity Planning
Privacy OfficerPrivacy Officer
Security Organizational FrameworkSecurity Organizational Framework
32
PlanningPlanning ArchitectureArchitecture OperationsOperations MonitoringMonitoring
� Business Requirements� Education� Formal Communications� Governance� Policies� Project Management� Risk Assessment
� Requests for Proposals (RFP)
� Standards & Guidelines� Technical
Requirements/Design� Technical Security
Architecture� Technology Solutions
� Incident Response� Access Control/ Account
Management� Investigations� Standards/Solutions
Deployment� Training & Awareness� Vulnerability Management
� Auditing� Reporting� Systems Monitoring� Security Testing
The Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for Success
33
Executive management must understand Executive management must understand
�Scenario-based simulations – Table-Top Exercises
�The organizations response
�Critical roles and responsibilities
�Scenario-based simulations – Table-Top Exercises
�The organizations response
�Critical roles and responsibilities
34
�Critical roles and responsibilities
�Actions plans to minimize the effect of an incident
�Monitor and test responses
�Critical roles and responsibilities
�Actions plans to minimize the effect of an incident
�Monitor and test responses
Model and Define RiskEstablish consistent threat categories
Model and Define RiskEstablish consistent threat categories
Digital Impact/RiskDigital Impact/RiskDigital Impact/RiskDigital Impact/Risk
Risk toRisk to
Customer SegmentCustomer Segment
Risk toRisk to
Customer SegmentCustomer Segment
Risk to MultipleRisk to Multiple
CustomersCustomers
Risk to MultipleRisk to Multiple
CustomersCustomers
Dept. of Homeland
Security Risk
Dept. of Homeland
Security Risk
SevereSevere
HighHigh
35
CustomersCustomersCustomersCustomers
Chronic or SeriesChronic or Series
of Inefficienciesof Inefficiencies
Chronic or SeriesChronic or Series
of Inefficienciesof Inefficiencies
Core Process orCore Process or
System ShutdownSystem Shutdown
Core Process orCore Process or
System ShutdownSystem Shutdown
TacticalTactical
InefficienciesInefficiencies
TacticalTactical
InefficienciesInefficiencies
Elevated
GuardedGuarded
LowLow
HighHigh
Impact of OccurrenceImpact of Occurrence
Understand Risk Posture CurveUnderstand Risk Posture Curve
� Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
� You risk posture
� Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
� You risk posture
36
Frequency of OccurrenceFrequency of Occurrence
LowLowLowLow HighHigh
OccurrenceOccurrence � You risk posture changes as the environment and technology changes
� You risk posture changes as the environment and technology changes
The Fulcrum of ControlThe Fulcrum of Control
Impact of Impact of
HighHigh
ImmediateAction
ImmediateAction
� The ability to control & containdigital security incidents is the key to success
� Management must
� The ability to control & containdigital security incidents is the key to success
� Management must
37
Impact of Occurrence
Impact of Occurrence
LowLowLowLow HighHigh
Frequency of OccurrenceFrequency of Occurrence
ROIDecision
ROIDecision
� Management must determine this tipping point or fulcrum and use it to drive their focus
� Management must determine this tipping point or fulcrum and use it to drive their focus
Forces Affecting RiskForces Affecting Risk
� Every time technology is changed or deployed the risk posture curve moves
� Management must recognize this and
� Every time technology is changed or deployed the risk posture curve moves
� Management must recognize this and
Impact of Occurrence
Impact of Occurrence
HighHigh
New or ChangedTechnologyNew or ChangedTechnology
38
recognize this and deploy security resources accordingly
recognize this and deploy security resources accordingly
OccurrenceOccurrence
LowLowLowLow HighHigh
Frequency of OccurrenceFrequency of Occurrence
New or ChangedTechnologyNew or ChangedTechnology
RiskManagementRiskManagement
Manage Risk for a Competitive AdvantageManage Risk for a Competitive Advantage
Impact of Occurrence
Impact of Occurrence
HighHigh
� Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
� Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
39
OccurrenceOccurrence
LowLow
LowLow HighHighFrequency of OccurrenceFrequency of Occurrence
6 Characteristicsby Industry6 Characteristicsby Industry
3.16
CONTINUOUS4.05
3.413.52
3.31
4.13ENTERPRISEWIDE
2.77
3.003.18
3.353.52
3.94
ALIGNED 2.772.95
3.41
3.593.72
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
4.15
3.95
3.75
3.55
3.35
3.15
2.95
2.75
2.55
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
40
FORMAL
3.48
4.09
3.25
3.603.64
3.88
VALIDATED
3.82
3.48
3.29
3.84
PROACTIVE2.91
2.88
3.40
3.03
3.00
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
Auto/Man
Energy
Financial Services
Life Sciences
Tech/Media
Telecom
Security “Orbit of Regard”Security “Orbit of Regard”
Products/ServicesProducts/Services
MarketShareMarketShare
CustomerService
CustomerService
� Security is a top executive issue
� Today, companies will compete on being able to respond to a digital threat
� Security is a top executive issue
� Today, companies will compete on being able to respond to a digital threat
41
CEOCEOGrowthGrowth
DigitalSecurity
2000s
DigitalSecurity
2000s DigitalSecurity
1990s
DigitalSecurity
1990s
DigitalSecurity
1980s
DigitalSecurity
1980s
� Top executives must close the digital security gap.
� Top executives must close the digital security gap.
Highly Effective Security Cultures:Highly Effective Security Cultures:
� are chief executive-driven
� maintain a heightened sense of awareness
� utilize a digital security guidance council
� establish timetables for success and monitor
42
� establish timetables for success and monitor progress
� drive an enterprise-wide approach
The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.
For More Information…For More Information…
Sajay RaiCEO and Managing Partner, Securely Yours LLC248-723-5224
43