Upload
kueng
View
40
Download
0
Embed Size (px)
DESCRIPTION
INFORMATION RISK MANAGEMENT. e-ID: are you (proven) in control?. DENNIS VAN HAM. Introduction and setting the scene. Identity: who are you? And how can we be sure it’s you? Access: what are you allowed to do? Business: protection of information is important but please don’t bother me; - PowerPoint PPT Presentation
Citation preview
e-ID: are you (proven) in control?
INFORMATION RISK MANAGEMENT
DENNIS VAN HAM
2© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Introduction and setting the scene Identity: who are you? And how can we be sure it’s you?
Access: what are you allowed to do?
Business: protection of information is important but please don’t bother me;
Technology: lots of it available but how reliable is it really?
Audit and compliance management: proven in control?
3© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Impact on people – changing threats and fast
Man-in-the-Middle Attacks
Pharming
And More …Trojan Horses
Botnets
Spyware
Malware
Keylogging
“Classic” Phishing
2006200520042003
4© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
People are different and have many e-ID’s
Hip, 20-something male Thinks he’s immune to
online fraud Freely gives away his
personal information Has a firewall and
antivirus Clicks on any link His motto: I grew up
with the Internet. I’m not afraid of it.
Tentative mother of grown children
Learning to navigate the Net
Considering banking online, but hasn’t taken the leap yet
Afraid of hackers from news story about ID theft victims
Her motto: The Web is complicated! Better to be safe than sorry.
Young, traveling businessman with a family
Juggles 30 passwords Uses two-factor
authentication at work Wonders if its available
for his personal accounts
His motto: Internet security is key, but I can’t carry one more thing
Source: RSA Security
5© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Impact on business
ComplianceSOX, HIPAA, Privacy, BASEL II, FDIC, etc
Corporate or IT GovernanceLack of clear strategy;Timely implementation of policies or resolutions;Policy enforcement and reporting;
SecurityProtection of intellectual property;Rising administration and helpdesk costs;Complex technologies and application infrastructure.
6© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
IT-security survey: six important signals Technology remains very dynamic, proper
risk analysis is key but not applied on a large-scale;
Insufficient expertise most important motive for outsourcing IT-security;
Hacking, viruses and worms significant threats, companies have little insight into the quality of their protection;
Authorisation management is structured ineffectively and inefficiently;
Continuity management is often organised on paper but it is usually not certain whether it also works well in practice;
The growing use of mobile devices requires attention.
7© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Compliance – but not a goal in itself
8© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Complex and getting management attention is difficult
9© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Reality bites – ‘identity and access’ information everywhere
10© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
How does an auditor think?
11© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Identity & Access Management – in a nutshell
Significant Integration Effort Required
APIs and protocolsFrameworks
OS and infrastructure
Proc
essin
g
Netw
orkin
g
Stor
age
Secu
rity
J2SE/J2EE
APIs and protocolsFrameworks
OS and infrastructure
Proc
essin
g
Netw
orkin
g
Stor
age
Secu
rity
Windows/.NET
APIs and protocolsFrameworks
OS and infrastructure
Proc
essin
g
Netw
orkin
g
Stor
age
Secu
rity
UNIX/LAMP
Authentication Authorization Provisioning
AuditManagement
Meta-Directory
Cross Platform
Federation
12© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
More information?
Dennis van Ham Consultant
KPMG Information Risk Management Burgemeester Rijnderslaan 20, 1185 MC Amstelveen Postbus 74105, 1070 BC Amsterdam Telefoon +31(0)20 6568103, Telefax +31 (0)20 6568388 E-mail: [email protected] Internet: www.kpmg.nl/irm
KPMG Information Risk Management