Upload
jack-mckenna
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Page 1
Robert Garigue
VP and Chief Information Security Officer
Controlling Order and Disorder
The evolving role of the CISO within the new structures of Information Systems
Page 2
Outline of our expedition
Background and Analysis Frameworks
– Business models – The nature of the threats
The strategic information security framework
– Environmental factors– Information security processes
Evolution of information security functions
– Alignment and Integration challenges
– Emerging new risks and concerns Reflections on the nature and evolving role of the Chief Information Security Officer
Travels in a foreign land
Page 3
BMO Financial Group
• Founded in 1817 – First Canadian Bank
• Highly diversified financial institution– retail banking – wealth management – investment banking
• Assets of $256 billion at October 31, 2003
• 34,000 employees
• Strong presence in US Mid-West through Harris Bankcorp
• Overseas offices around the world
Page 4
Metrics of the Digital BMO
200+ Mainframes
276+ Open System Business Critical Applications
37 000 Desktops
2500 support servers
6000 main network devices
165 Terabytes of datastorage 50%+ a year
Several Million Transactions/sec
Page 5
Myths and Realities
For some the world is a multidimensional place
…and for other… it is still flat…
There are always Myths and Realities.
Page 6
An evolving organizational context : Information Society
Some of the New Realities:
• Information based productivity
• Computer mediated decisions
• Rise of the knowledge worker
• Network centric structures and value chains
• Command and Control hierarchies are displaced by Cooperative, Commutative and Coordinated organizations
• “a burden shared is a burden halved .. an intellectual asset shared is one doubled”
Page 7
The Integrated Informational Value-Chain
LinkedComplementaryInterdependent
LinkedComplementaryInterdependent
From Goods or Services To
Goods with Services
From Goods or Services To
Goods with Services
Page 8
Information Flows : Health Care Ecosystem
Page 9
Physical
Process
The impact will be felt in the three realms of cyberspace
Content
Page 10
The Evolution of the Noosphere (Teilhard de Chardin )
Mobile and Peer to PeerClient ServerMain Frame
focus Organizations
(command and control)Individuals
(cooperation, coordination,and communication)
Ubiquitous
Trusted
Affective
Advisory
Always on
Social
Page 11
It is full of Risk: These are the shape of “Things Now Dead”
Page 12
But there will always be conflict between Open systems and Closed systems…. Violent conflict …
Pablo Picasso. Guernica. 1937. Oil on canvas. Museo del Prado, Madrid, Spain
Page 13
Zero-day virusSlammer – 30 minutes later
Page 14
Information Security: A new oxymoron
Information
Security
The debate
Page 15
Arguments For Getting Funding :Levels of Maturity of the Organization
Fear, Uncertainty and Despair: “The Hackers, virus, will get us unless..”
The Heard Mentality: “The king needs Taxes”…
The Analytical ROI ? “Investment in Intrusion Prevention Systems are better than”…
Arguments that have yet to come:
“Because we can take on more business and manage more risks”
(brakes enable cars can go faster)
Page 16
Information Security – Managing ExpectationsSometimes it is just a communication issue…
Page 17
Consequence A: Information Security Officer as The Jester
Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?
Page 18
Consequence B: Information Security Officer as Road Kill
Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?
Page 19
Maybe a better model for CISO: Charlemagne
•King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
• He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
•He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
•He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.
Page 20
Knowledge of “risky things” is of strategic value
How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?
This is the mandate of information security. This is the mandate of information security.
Page 21
The Interconnected Societies: the critical Infrastructure
TELECOM SERVICES LAYER
TRANSPORT SERVICES LAYER
TERRAIN LAYER
FEATURE LAYER
PHYSICAL BACKBONE LAYER
GEOGRAPHICAL MAP LAYER
OPERATIONS LAYER
TECHNICALAPLICATION
LAYER
CONTROLLAYER
(Geo-political boundaries)
(Elevation)
(Land Use, Cities, Buildings, Towers)
(Cables, Fiber Routes, Satellites)
(SONET Rings, ATM, PSTN)
(Internet, Data, Voice, Fax)
Sector
Dependent
Layers
Common
Layers
TELECOM UTILITIES
Billing &ResourcePlanning
LoadBalancingReliability
SS7 SCADA
Billing &ResourcePlanning
FINANCIAL
Billing &PaymentInternet
Banking
FinancialServicesUtilities
Stock / FinancialExchanges
POS TerminalsATMs
GOV
HEALTHCARE
BillingAdministration
DiagnosticsElectronicRecords
HospitalsLabs & Clinics
Pharmacies
HL7
LAYERS
LegislationTaxation
Law - Order
Secure channels
Prov, and Fed
Services
Grid / Pipeline
Monitoring &Control
Page 22
Indicators and warningsExternal environment : the rates of evolutions
– 16 new malware products launched every day: viruses, worms, trojan horses, spyware etc
– 7 new vulnerabilities discovered every day
– 20 minutes guaranty
– Probes against Financial Institutions web sites launched every 6 seconds
– Social engineering is on the rise: People are the weak link
– 16 new malware products launched every day: viruses, worms, trojan horses, spyware etc
– 7 new vulnerabilities discovered every day
– 20 minutes guaranty
– Probes against Financial Institutions web sites launched every 6 seconds
– Social engineering is on the rise: People are the weak link
HackersScript kiddies
Industrial espionageCyber-terrorists,
CompetitorsSuppliers
Page 23
Indicators and warnings : Threats and targets
The McKinsey Quarterly, 2002 Number 2 Risk and resilience Daniel F. Lohmeyer, Jim McCrory, and Sofya Pogreb
Page 24
Manufacturing exploits: The electronic Petrie DishMalware : spyware + trojan + spam + exploits + social engineering
Page 25
Indicators and warnings How money was lost – Rough order of magnitude (ROM)
Source: CFI/FBI Report 2003530 US based corporations, government and educ. inst.
Highest Reported Average losses '000 US$ '000 US$
Denial of Service 60,000 1,427
Theft of proprietary information 35,000 2,700
Insider abuse of Net access 6,000 135
Viruses and worms 6,000 200
Financial fraud involving info. systems 4,000 329
Sabotage of data or networks 2,000 215
Laptop theft 2,000 47
System penetration by outsider (hacking) 1,000 56
Active wiretapping 700 352
Telecom fraud 250 50
Unauthorized insider access 100 31
Telecom eavesdropping 50 15
Page 26
Identity Theft in Canada
Page 27
Hacking Beliefs
Identity Theft– One of the fastest growing crimes.
Statistics Canada reports 13,359 cases, $21.5 million losses in 2003
– Account takeover (credit cards, bank accounts)
– Application fraud (open new accounts with victim’s ID)
– Industry needs improved identity management solutions and strong public awareness
Phishing (using email scams to collect confidential information)– Key issues: detection, shutting down
bogus sites, customer awareness– Banks are posting warnings on their
public sites, and updating security page information with “Q&A” type of information.
Page 28
Emergent Complexity : Spam Space as Risk
Page 29
Structuring RisksAn Organizational Risk Categorization Taxonomy
Page 30
Structuring RisksRegulatory Environment: where are the controls ?
– Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
– Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) - U.S
– California Law SB1386 - California – HIPPA (Health)– Office of the Superintendent of Financial
Institutions (OSFI) – Canada - Guideline B10– The Financial Services Authority (FSA) –
England - OS Section 4– Federal Financial Institutions Examination
Council (FFIEC) - U. S. – Office of the Comptroller of the Currency
(OCC) - U.S. OCC 2001 - 47 – The Bank Act - OSFI – Canada – Guidelines
B6, B7, B10– Federal Financial Institutions Examination
Council (FFIEC) - U.S. SP-5 Policy – Sarbanes- Oxley Act (SOX) - U.S. – Bill 198 - Canada – SEC Rule 17a-4– Basel II Accord – European Union Directives on Information
Security– Canada’s National Security Program– Patriot Act - US
Privacy
Security
Page 31
Regulatory Penalties & Fines Grid
Name of Regulatory Mandate
Some Potential Penalties
Potential Fines
SOA 20 years in prison $15 million
Basel II Regulatory agency penalties: vary by G-20 country
Regulatory agency fines: vary by G-20 country
HIPAA 10 years in prison $250,000
GLBA 10 years in prison $1 million
Patriot Act 20 years in prison $1 million
Dod 5015.2 Failure to qualify for DoD contract; Contract breach; FAR penalties
Contract penalties
California SB 1386 Unfair trade practice law penalties: vary by state
Private civil and class actions; unfair trade practice law fines: vary by state
SEC Rule 17a-4 Suspension/expulsion $1 million+
Page 32
Emergent Behaviors: An Ecological View of Organizational Risk
The information infrastructure
The information infrastructure
The market Drivers
The market Drivers
projectsprojects
Governance bodiesInet, Ipt, ARB, etc
Governance bodiesInet, Ipt, ARB, etc
threatsthreats
lawslaws
practicespractices
standardsstandards
prioritiespriorities
resourcesresources
compliancecompliance
outsourcingoutsourcing
Riskmangt
Riskmangt
Educationawareness
Educationawareness
reviewsreviews
auditaudit
CapitalAtRisk
CapitalAtRisk
RCSARCSA
Lob RISKofficers
Lob RISKofficers
Access mangt
Access mangt
CertificatesCertificates
Cryptopolicy
Cryptopolicy
Identitymangt
Identitymangt
IPCIPC
AlertsAlerts
Vulner.Analysis
Vulner.Analysis
escalationsescalations
Data Classif.
Data Classif.
ActiveInformation
SecurityStrategy
ActiveInformation
SecurityStrategy
NetworkSecurity Council
NetworkSecurity Council
-
+
+
+
++
+
-
-
--
--
-
-
-
+
-
+Tech
Residual Risks
TechResidual
Risks
--++
Organizational accumulated technical residual risk =
TechResidual
Risks
TechResidual
Risks
Environment
New Technology
New Technology
Page 33
Information Security organization as result of the knowledge transfer process
The Knowledge Transfer Cycle
Technical Threats
Passive Real time
High
Org
a ni z
a ti o
n al
Co m
plex
ity/C
a pab
il ity
Low
Virtual Private Networks
Firewalls
Virus Scanners
Intrusion Detection Monitoring
Vulnerability Analysis
Real Time Response
Role base identity Access management
Digital Rights ManagementSecurity Functions
Page 34
Knowledge transfer
The Knowledge Transfer Cycle 2
BMOIS
CBA
FI CIRT& otherBanks
Vendors
FIRST
Projects
PSECP
CANCERTClientsand
Businesses
wireless
Info/infrastructure
Utilities
Health
Telecom
Knowledge networks
Passive Real time
High
Org
a ni z
a ti o
n al
Co m
plex
ity/C
a pab
il ity
Low
Virtual Private Networks
Firewalls
Virus Scanners
Intrusion Detection Monitoring
Vulnerability Analysis
Real Time Response
Role base identity Access management
Digital Rights ManagementSecurity Functions
Page 35
Network Protection
Operating System Protection
User Access
Control and Authorization
Object Integrity
Content Certification
Digital Signatures
Control Framework is a hierarchy of accountability structures
PrivacyPrivacy
SecuritySecurity
BusinessApplications
Clients/Users
Operational Support
Content control
Access Management
PerimeterProtection
Infrastructure
Infostructure
Page 36
Information Security Management FrameworkR
ISK
/CO
ST
STRATEGICRISK LEVEL: LOW
TACTICALRISK LEVEL: MEDIUM
OPERATIONALRISK LEVEL: HIGH
BusinessRequirements Design Development Implementation Operations
STRATEGIC
Governance and policies
• Policies• Standards• Procedures• Guidelines• Awareness• Research
TACTICAL
Application/system development and deployment
• Design reviews• IS solutions• Due care• Risk acceptance• New technology insertion
OPERATONAL
Active security posture
• Antivirus management• Vulnerability assessments• Intrusion detection• Incident response
OPERATONAL
IS services
• Access management• Key management• Security token management• Other operational services
Risk curves
Page 37
Information Security Key Performance Indicators
Policy – Number of Policy Exceptions– Number of Risk Acceptances– Value of Residual Risk
Process– Number of security issues in new
projects– Number of ID accounts
(active/dead)– Number of keys / digital certificates
/ tokens– Time to respond to patches,
incidents– Losses due to security incidents
People – Number of certified personnel– Overall capital investment ratio
security to IT spend • per system• per person• per incident
Tycho Brahe (1546-1601)
Page 38
Information Security Key Performance Metrics
Count of Virus Infections on BMO VPN
0
2
4
6
8
10
12
December January 2004
February March April
Month
Co
un
t
Risk Acceptance and ISM Exception Forms
02040
6080
100120
140160
Q3 2003 Q4 2003 Q1 2004 Q2 2004 Q3 2004
Active ISM Exceptions (+4.2%vs. Q2)Active Risk Acceptance(+4.2% vs. Q2)
Project & Issue Tracking
0
100
200
300
400
500
600
700
800
Q3 2003 Q4 2003 Q1 2004 Q2 2004 Q3 2004
Nu
mb
er
of
Iss
ue
s
0
10
20
30
40
50
60
70
80
90
100N
um
be
r o
f P
roje
cts
Open Issues (+8.17% vs. Q2) Closed Issues (+58.7% vs. Q2)Open Projects (+2.57% vs.Q2)
April Microsoft Security Patch Deployment(Servers + Workstations = 36,000 systems reported)
0
20
40
60
80
100
1 6 11 16
Days Elapsed
% C
ompl
ete
Patch AnnouncedZero days elapsed
Major Areas Complete16 days elapsed
Sasser worm emerges17 days elasped
Advisory upgraded (exploit emerges)
Page 39
April Microsoft Security Patch Deployment(Servers + Workstations = 36,000 systems reported)
0
20
40
60
80
100
1 6 11 16
Days Elapsed
% C
om
ple
te
Patch AnnouncedZero days elapsed Major Areas Complete
16 days elapsed
"Accelerated" Threshold2 days elapsed
Sasser worm emerges17 days elasped
"Normal" Threshold 2 weeks elapsed
Proposed "Accelerated" Threshold
7 days elapsed
Advisory upgraded (exploit emerges)
Microsoft Patch Deployment
H M L
H Emergency Accelerated Accelerated
M Accelerated Accelerated Normal
L Accelerated Normal Normal
Note:April 2004 release required 4
separate patches
Patch/ IncidentApril 2004 Critical (4)
February 2004 Critical
Nachi/ Blaster (August 2003)
SQL Slammer (January 2003)
Days to Patch (90% Complete) 16 9 34 209
Historical Trend Analysis
Page 40
Major Networks
Year/Quarter CWAN BWAN NesbittBurns
CapitalMarkets
Harris
2001 1.84 2.91 6.04 3.35
2002 – Q1 2.53 3.38 5.34 2.04
2002 – Q2 2.08 1.84
2002 – Q3 2.93 3.19 4.77
2002 – Q4 3.01 2.41 2.35
2003 – Q1 2.63 2.98 3.59
Active security posture – Vulnerability Analysis results
CWAN
Capital Markets Nesbitt Burns
Page 41
9Training
Last QForecastPosture
21
20
19
18
17
16
15
14
13
12
11
8
7
6
Details on
Page
Education & Awareness
Analytics/ reportingBusiness Analytics
Remote Access
CSPIN (devices)
Access Management
Encryption (PKI)
Key Management
Information Security
Operations
Response/Management
Intrusion Detection
Vulnerability Assessment
Anti Virus
Information Protection
Centre
Project Assessments
Standards & Architecture
IS Policy & Strategy
Security Practices & Technology
EnterpriseInformation Security Service
Information Security Group
Quarterly Information Security Dashboard
= unsatisfactory
= fully satisfactory
=positive trend
=negative trend
=stable
=Key Issues
Legend
Page 42
Making The Case for Security Investments
Return on Investment (ROI) has failed to demonstrate it economically because there are too many variables
– Benefits hard to quantify: what’s the value of good health?
– Statistical data unreliable and changing fast
– Cost avoidance not the same as cost savings
– The “language divide”: accounting vs. security
– Loss of credibility more costly than loss of physical assets
– Technology substitution is not a guaranty of more capability
Total Security costs
Incidents Costs
Security Investments
?
Page 43
The Security Challenge: Alignment
Project assessment
The Digital DivideTwo solitudes, in virtual isolation
Security services IT processes
Anti-Virus
Patches
VulnerabilityAssessments
Incident management
Intrusion detectionApplication
security
Access management
Keymanagement
Application development
Architecture
Problem management
Incident management
ChangemanagementService
level
ConfigurationFirewall rules
CapacityAvailability
IT Service continuity
Page 44
Phase Description
1. Initiation
2. Awareness
3. Control
4. Integration
5. Optimization
Concrete evidence of development
Resources allocated
Formalized
Synergy between processes
Continuous self improvement &optimization
0. Absence Nothing present
Characteristics:
visible results management reports
task/authorities defined active rather than reactive
documentation formal planning
Maturity Framework Levels: Stages of Evolution of a system
Page 45
Maturity Frameworks pedigree : The reference framework
It is better not to proceed at all than to proceed without methodDescartes
Page 46
Information Security Maturity model - ISO 17799 Information Technology Infrastructure Library (ITIL) SEI – CMM (Capability Maturity Model)
Page 47
A proposal for a new integrated risk framework
The objective is to lower the overall risk through capability maturity framework integration
Bus. Req. Design Development OperationsImplementation
ITILSEI CMMISO Project ISO 17799
Risk Management through Maturity Framework alignment
Organizational focus
?
Page 48
Strategic Evolution of Information Security
• IP level • Protocol aware• Perimeter based
• Closed API• Limited to # of User• Single Admin• Simple Provisioning
• Node Based• Heterogeneous• Island of security• Under-maintained
Packet Level
Integrity
Closed Business systems
Perimeter Control
• XML Based• Application Control• Content Aware• Higher value
• Accessible API• Many Users• Multiple connections• Cross organization access
• Integrated Network View• Consistent Policies• Tiered Administration• Remote monitoring and management
Application Level
Assurances
Integrated Business Systems
Managed Security Services
Present Security Model Target Security Model
Page 49
The new Information Security challenge: Managing the “Roles and Content” via “Rights and Privileges”
Number ofDigital IDs
Applicatio
ns
MainframeMainframe
Client ServerClient Server
InternetInternet
BusinessBusinessAutomationAutomation
CompanyCompany(B2E)(B2E)
PartnersPartners(B2B)(B2B)
CustomersCustomers(B2C)(B2C)
MobilityMobility
Growth of “unstructured” Documents
ROLES
CONTENT
Page 50
Information centric organization
•Content increasingly easy to collect and digitize•Has increasing importance in products and services•Is very hard to value or price•Has a decreasing half life•Has increasing risk exposure
–integrity-quality –regulation privacy/SOX
•Is a significant expense in all enterprises (IT Governance – Weill and Ross)
Michael C. Daconta
Page 51
Where are the risk coming from the rise of the info-structure
Where is the locus of control outside the boundaries of the organization ?
Information Security Management has to recognize a requirement for a content control model that is independent from a specific technical solution.
To deal with the new information security risks in “semantics management”
Then the focus to content management and issues:
Topic Maps, XML, RDF,UDDI, XBRL,
SAML, Ontologies, And more and moreXML
Infostructure: Content Infostructure: Content
Policy: RulesPolicy: Rules
Infrastructure: Technology Infrastructure: Technology
Tag/ CONTENT /tag
Page 52
The Integrated Architecture : Content and Technology
Web Server
Web PDA Cell
Content Management System
Provisioning Engine
StaticContent
Style Sheets
Syndication Server
Data Server
ProfilesRights and Privileges Rules
Application
Application
Application
Application
Request and User ID /passwordCustomized XML Docs/Info
Content request Content response
Page 53
The Architecture of the Infostructure The Ontology of Information Management
RiskAssessment
Content ClassificationSensitivity
BusinessApplications
Roles
XMLTopic Maps
RDFUDDIXBRL
Rule MappingFrom Policies to XML
Offerings Resources Transactions References Locations Policy and regulations Directions Contracts FinancesMarkets
QualityOf
Service
ROI onIntellectual Capital
Knowledge
Life cycleInformation
QualityData
SOAPeer to Peer Groupware
Taxonomies
Syntax
Organizations
OutcomesE-ContentLife Cycle
Management
Process
Policies
StandardsNetBiz
RosetaNet
Architecture
Page 54
Information Management as Information Security
NEW IMPERATIVES
Data Classification
Information stewards
Content lifecycle management
Identity Management
Digital Rights Management Services
NEW IMPERATIVES
Data Classification
Information stewards
Content lifecycle management
Identity Management
Digital Rights Management Services
Recommended Controls ( accumulates as you go down )Examples of content
Review and sign off of Logs by stewards and custodians
Systems involved are assessed periodically and around significant changes
Host/device monitoring for intrusion
Trained and certified information security people involved in th
review of operations
Customer public identification associated
with account information
Customer Data with SIN
Strategic Plans
Highly Sensitive
Encryption
Separation of Duties
Secured log files and Access Control
Review of Sample Logs
Systems involved are assessed periodically and around
significant changes
Trained and certified people involved in design and operation
Passwords lists
Customer Names
Project documentation
Customer Snapshots
Credit Card Numbers
Account Numbers
Confidential
Assets should be labeled with Classification
Log files
Broad Access Control
Policy documents
Routine Procedures
Internal
Contracts, Licensing, usage and log files for activity purposeNews clippings
Market Data
Public
Recommended Controls ( accumulates as you go down )Examples of content
Review and sign off of Logs by stewards and custodians
Systems involved are assessed periodically and around significant changes
Host/device monitoring for intrusion
Trained and certified information security people involved in the
review of operations
Customer public identification associated
with account information
Customer Data with SIN
Strategic Plans
Highly Sensitive
Encryption – anonymizing - pseudomizing
Separation of Duties
Secured log files and Access Control
Review of Sample Logs
Systems involved are assessed periodically and around
significant changes
Trained and certified people involved in design and operation
Passwords lists
Customer Names
Project documentation
Customer Snapshots
Credit Card Numbers
Account Numbers
Confidential
Assets should be labeled with Classification
Log files
Broad Access Control
Policy documents
Routine Procedures
Internal
Contracts, Licensing, usage and log files for activity purposeNews clippings
Market Data
Public
Page 55
Reports to
Reports toHR Reporting
Hierarchy
HR ReportingHierarchy
PositionHierarchy
PositionHierarchy
EmployeeEmployee
Non-Employee
Non-Employee
Actual
Target
Actual
Target
IndividualIndividual ApplicationUser ID
ApplicationUser ID
Org Unit /Location
Org Unit /Location
StandardTarget
StandardTarget
PositionPosition
RoleRole
CPMRole Group
CPMRole Group
IndividualPosition
IndividualPosition
ProvisionRole Group
ProvisionRole Group
User Interface(Desktop)
User Interface(Desktop)
ApplicationSystem
ApplicationSystem
Is a
ActivityActivity
Occ
up
ies
Requires
Identifies accessneeds of role
EnID Maps to Is needed toaccess
Has
a
Is partof
Generates
Has a
U
pda
tes
Targets are based on
Is partof
Is at a
Includes
Right /Privilege
Right /Privilege
EnterpriseAsset
EnterpriseAsset
Is Granted
Is a
Applies to
The New Audit Space Control of Content : Digital Rights Management
Page 56
The next level of challengeAligning the Infostructure with the Infrastructure
Daconta
Passive
Real time
High
Organizational Complexity/Capability
Low
Virtual Private Networks
Firewalls
Virus Scanners
Intrusion Detection Monitoring
Vulnerability Analysis
Real Time Response
Role base identity Access management
Digital Rights Management
Security Functions
InfrastructureArchitecture
Infostructure Architecture XML Firewalls
Semantic Management
Content Management
Page 57
The New Security Debate Space
The B2B market forces are enabling standards.
– B2B models– Taxonomies and ontologies– XML Protocols– WS-Security standards
What protocol and standards drive your business ?
Do you have an Information Security Officer debating these issues ?
Page 58
The Role of the Chief Information Security Officer
1. Information Risk identification
2. Information Risk formalization
3. Development of practices and tools
4. Integrate “root cause” analysis into governance framework
5. Devolve processes from exception management into operations
6. Improve Information asset identification and management accountability
Page 59
The Dynamics of Systems Changes
"There is no problem so complicated that you can't find a very simple answer to it if you look at it the right way."
-- Douglas Adams
The key to progress is the process of feedback in its most simple form, two-way communication.
Pink FloydPink Floyd Norbert WienerNorbert Wiener
Page 60
Social Engineering … at its best…
Page 61
The future of information security is bright ..
Become a CISO and survive
Page 62
Colophon
Page 63
Thank you