a look at the global security practicesfbay.issa.org/comm/presentations/2009/jan/2009...• able to...
TRANSCRIPT
p a g e 1 | w w w . c ib er . c o m | ©2009
www.ciber.com
A Look at
The Global Security PracticePractice Overview
p a g e 2 | w w w . c ib er . c o m | ©2009
CIBER Global Security Practice
• CIBER Global Security Practice focuses exclusively on IT security services
• CIBER Global Security Practice has been providing security services continuously for over 15 years
• The CIBER Global Security Practice has been part of CIBER for 8+ years
• Based in CIBER’s Denver Colorado headquarters, we deliver services worldwide in partnership with CIBER branch offices
• Small company agility and focus,backed by the full resources of CIBER
p a g e 3 | w w w . c ib er . c o m | ©2009
Key Strengths
• 15+ years of successful delivery of security services– Outstanding references and reputation
• Staff with average 14+ years of security experience– Dedicated staff – security is primary career focus of all staff
– CISSP certifications
– Background checks/security clearances
• Proven track record on world-class, large-scale projects• Able to address the universe of strategic security issues• Broad experience
– Commercial – small, medium, large
– Federal/State/Local Government
– Regulatory/standards compliance experience – SOX, HIPAA, GLB, FISMA, ISO 17799, PCI-DSS, many others
• Able to design and build comprehensive, integrated security solutions– Not just point products
– Not tied to specific vendors
p a g e 4 | w w w . c ib er . c o m | ©2009
Define.Achieve.MaintainCIBER's Approach to Security
p a g e 5 | w w w . c ib er . c o m | ©2009
CIBER’s Approach to Security
Define
• Security Assessment and Strategy
Achieve
• Security Solution Design and Implementation
Maintain
• Information Security Outsourcing
p a g e 6 | w w w . c ib er . c o m | ©2009
DefineCIBER Global Security Practice helps you define
your security goals!
p a g e 7 | w w w . c ib er . c o m | ©2009
Define
• CIBER Global Security Practice helps you define your security goals through a risk management approach:
– Risk & vulnerability assessments
– Regulatory compliance analysis
– Enterprise security strategy
– Identity theft assessment
– Third Party Risk Management
p a g e 8 | w w w . c ib er . c o m | ©2009
Risk & Vulnerability Assessment
Scope of Modules Can Be Easily Tailored To Address Client-Specific Security Standards, Assessment Methods, or Regulations
p a g e 9 | w w w . c ib er . c o m | ©2009
Regulatory Compliance Analysis
• Best of breed security frameworks
• Requirements traceability
• Readiness planning for HIPAA, GLB, PCI-DSS, Sarbanes-Oxley and other 3rd party or legislated requirements
p a g e 10 | w w w . c ib er . c o m | ©2009
Enterprise Security Strategy
• Security program planning
• Security architectural development
• Achievable business-driven security roadmap
Build U
p
PROGRAM
MANAGE
DOCUMENT
EDUCATE
PROTECT
DETECT
RESPOND
Executive Commitment
Charter
Dedicated
ISO
Strategic Planning FundingCross-Functional
Security Oversight
Roles and
Responsibilities
Security
Skills
Asset Risk Management
(Life Cycle Approach)
Policies Standards ProceduresAsset ID and
Classification
Awareness
ProgramsGeneral Training Specialized Training
Procedures
Non-Technical Controls
Net
Technical Controls
Physical
Controls OS DB AppElec
Comm
Verbal/
writtenPersonnel
Reviews Compliance MonitoringIntrusion
Detection
Auditing and
Event Logging
Incident
ResponseDisaster Recovery Business Continuity
p a g e 11 | w w w . c ib er . c o m | ©2009
Identity Theft Assessment
• Business application and database surveys to determine location of personal information storage
• Identity management process and controls assessments with recommendations
p a g e 12 | w w w . c ib er . c o m | ©2009
Third Party Risk Management
• Third Party Vendors process, transmit, and store sensitive company and client data
– Vendors have access to sensitive information. Which vendors? What information?
– Third parties may not meet security standards
– Check box” audits are a snapshot in time
• Management of Risk posed by service providers through Identification, Assurance, and Maintenance
– Determining what vendors have access to what data
– Establish security controls, risk ratings, and define corrective actions
– Ensure risk is mitigated and conduct annual reviews
• Benefits– Immediate improvement to security posture
– Fully managed process
– Informed business decisions
– Regulatory compliance
– Customizable
p a g e 13 | w w w . c ib er . c o m | ©2009
AchieveCIBER Global Security Practice helps you achieve
your security goals!
p a g e 14 | w w w . c ib er . c o m | ©2009
ACHIEVE
• Application security
• Security technology process integration
• Independent validation & verification
• Security policy & procedure development
• Remediation of security deficiencies
• Security training & knowledge transfer
• Disaster recovery/business continuity planning
• Security incident planning
• Identity theft management & protection
• Third party risk management
• Compliance validation
p a g e 15 | w w w . c ib er . c o m | ©2009
Strategy for Effective Security Designs
• Integrate security with development life cycle to design in security and reduce overall risk
• Maintain independence of security oversight to allow an unbiased perspective and consistent standards
• Provide business owners with reliable assurance evidence and risk analysis to enable their risk acceptance decisions
• Provide evidence of compliance with security and privacy regulations
p a g e 16 | w w w . c ib er . c o m | ©2009
Designing Security Into Applications
• Timely and relevant security input at each stage of application development
• Reference: NIST Special Publication 800-64, “Security Considerations in the System Development Life Cycle”
p a g e 17 | w w w . c ib er . c o m | ©2009
Designing Security Into Applications
• Design– Analyze potential attacks/risks
– Focus areas of greatest risk
– Specify security features
– Focus on prevention of unauthorized access –
detection as secondary objective
• Build– Mandate secure coding practices
• Test– Security assurance testing before acceptance
• Monitor– Monitor logs
– Validate security posture during operations
– Evaluate security impact of changes
p a g e 18 | w w w . c ib er . c o m | ©2009
MaintainCIBER Global Security Practice helps you maintain
your security posture!
p a g e 19 | w w w . c ib er . c o m | ©2009
MAINTAIN
• Real-time 24X7 event monitoring
• Security device management
• Vulnerability management
• Incident investigation, response & recovery
• Event correlation
• Compliance reporting
p a g e 20 | w w w . c ib er . c o m | ©2009
Information Security Outsourcing
• Providing managed security services for over 7 years
– Large scale reach
– Global device management
– Enterprise service agreements
• World-class Security Information Management (SIM) technology
• Customer-focused hands on approach
– 24x7 staffed security operation
center
– Dedicated delivery team
– Compliance oriented reporting
• Core focus & commitment to managed security services
• Proven track record - 100% customer retention
p a g e 21 | w w w . c ib er . c o m | ©2009
Information Security Outsourcing
Service Offerings
• Security Program Documentation
• Demonstrates Proof-of-Controls to Management and Auditors
• Compliance reporting supporting regulations and control frameworks
such as PCI DSS , Sarbanes-Oxley (SOX), FISMA, HIPAA ,
GLBA , ISO/IEC 27002:2005 , NIST 800-53
• 24x7 Event & Report Access via Customer Portal
• Monthly / Quarterly Service & Report Review
• System, internal and external audit support
• Secure build and configuration management support
Security Services
Security Information and Event Management
Firewall &
Intrustion Detection /
Prevention
Anti-VirusCompliance
Management
Incident Response
&
Investigation
Vulnerability & Patch
ManagementApplication Risk
Management
• Security framework: Leverage a well understood, documented
and enforceable security posture
• Robust security infrastructure: Use “defense in depth” concepts
based on latest technology
• Dedicated security operations: Experienced, trained security
operations personnel and proven processes
• Provide proof of controls: Provide evidence of vigilant monitoring
and compliance mapped to regulatory and audit requirements
Security Philosophy
Security Compliance Management
“Among the many dynamics shaping the U.S. managed security services market today, growing security complexity, the evolving pace of today's technology, and stringent compliance mandates are driving demand and spending for managed security services.” -- Irida Xheneti, U.S. Managed Security Services 2008–2012 Forecast and Analysis, IDC, Aug 2008.
Security Maturity for Your Business
p a g e 22 | w w w . c ib er . c o m | ©2009
During the next five years, Gartner Dataquest expects that worldwide revenues from IT outsourcing will grow from $161.7 billion in 2002 to $232.1 billion in 2007, a CAGR of 7.5% per year.
What is Application Outsourcing?
• When an IT services provider assumes responsibility for the management of all or part of an application portfolio to help the client meet key business objectives.
– Package or custom-developed,
new or legacy systems
– Performance goals and service
level metrics
– Multi-year contracts with monthly
fixed fees
Network and Infrastructure Outsourcing
Full
IT O
uts
ou
rcin
g
Application Outsourcing
QA Testing Outsourcing
Help Desk/Call Center Outsourcing
p a g e 23 | w w w . c ib er . c o m | ©2009
CIBER Security Clients
p a g e 24 | w w w . c ib er . c o m | ©2009
Sample of Satisfied Security Clients
CIBER Security serves a variety of clients in all sectors, Federal, State and Local Government, and Commercial, to reach their goals.
American Express● Atlas Oil ● Bank of America ● Bellco ● CitiGroup ● Citizens Bank ●
CoBank ● Collin County ● Coors ● County of San Francisco ● FAA ● FBI ● FDIC ● First
Data Corporation ● Ford Motor Company ● IFF ● Hanger Orthopedic ● Marin County ●
NASA ● NSA ● NSF ● OTS ● State of Colorado ● State of Iowa ● State of Kansas ● State
of Missouri ● State of New Jersey ● State of North Carolina ● State of Missouri ●
UniGroup ● US Army Reserves ● University of Colorado
p a g e 25 | w w w . c ib er . c o m | ©2009
CIBER Experience – Service Provider
Problem
• As a leading provider of products and small business services, this client is faced with challenges to grow and re-shape its business, and is held to very high security standards by its Financial Institution clients.
Solution
• CIBER is providing a wide range of security operations services including, but not limited to complete security operations, asset database development, identity management, log aggregation and the implementation of an intrusion detection system.
Benefit
• By transitioning security activities to CIBER, the client can focus on their core business functions and leverage CIBER to increase the effective maturity level of their security operation.
p a g e 26 | w w w . c ib er . c o m | ©2009
CIBER Experience - Large East Coast Bank
Application Assessment Reviews
Problem
• Client has 90+ internal applications of unknown security status
• Needs a risk assessment methodology to perform uniform comprehensive security evaluation of all applications to highlight risk areas and prioritize security spending
Solution
• CIBER proposed definition of a custom qualitative risk methodology and prototype assessments of two key applications
• Follow on work includes support for performance of risk assessments for remaining applications
Benefit
• CIBER was able to determine the security posture of the applications and work with the application owners to ensure that a satisfactory level of security was maintained minimizing the potential for breaches.
p a g e 27 | w w w . c ib er . c o m | ©2009
CIBER Experience - Amica Mutual Insurance
Company Security Assessment
Problem
• Amica had completed security enhancements and was looking for an assessment to validate the work.
Solution
• Discovery
• With no information other than the company name, CIBER performed an external vulnerability assessment.
• External and Internal Vulnerability Assessment
• CIBER performed a port scan and external /internal vulnerability scan.
• Manual Validation
• CIBER validated open ports, the existence of vulnerable files, vulnerable versions, etc., initially through technical tools and processes.
Benefits
• CIBER was able to identify areas for improvement that benefited Amica's security program.