defending the digital frontier
DESCRIPTION
Defending the Digital Frontier. Rudy Giuliani’s Call to Action. - PowerPoint PPT PresentationTRANSCRIPT
Defending the Digital Frontier
2
Rudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
3
Digital Security Breach: The True Cost
Cost$15 to $20 million
or 1% to 1.5% of Sales per Incident
TangibleLosses
IntangibleLosses
• Lost Productivity• IT Support Costs• IT systems/software
• Damage to Brand• Third party liability• Loss of customer/ supplier confidence
The greatest loss as a result of an IT security breach is the intangible impact
4
Security drivers in Today’s complex environment
Industry/Regulatory Groups Standards
Economic D
riversC
ompl
ex T
echn
olog
ies
HIPAAGLBSarbanes OxleyPatriot ActHomeland Security Act
ROIRiskProfits
Homeland SecurityShareholder ValueProductivity
BS7799CBCPCISSP
ISO 17799ITILSANS/GIAC
Security ManagementNetwork ManagementOperational IntegrityManaged Security Services
AuthenticationAuthorizationAdministrationEncryptionFirewall/VPN
BAIDOCDOTFDICFederal ReserveFEIFFIEC
FSISACInfraguardISACAISF
ISSANCUANIST
5
Multiple Drivers Are Bringing Digital Security to the Boardroom
Privacy/Fraud(CA1386, GLB, HIPAA)
Sarbanes-Oxley
Homeland Defense(Homeland Security Act, USA Patriot Act)
Digital
Security
Triple Witching Event
6
• Feature• Productivity• Reliability
• Security• Predictability• Stability
Technical Advances & Increasing Regulation
IT Executives are increasingly focused on controls
ImprovingFunction
ImprovingControl
HIPAA
Sarbanes-Oxley
Homeland Security
7
What is the Digital Frontier?The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
Relianceon IT
High
LowLow HighIT Usage
ProductivityImprovement
Mobile
Internet
Client/Server
1970s 1980s 1990s 2000s
MF
8
Increase Security RisksAs organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
High
LowLow High
1970s 1980s 1990s 2000s
Mobile
Internet
Client/Server
MF
Impact of Failure
Increased Risk
Probability of Failure
9
The Security Frontier
ProductivityImprovement/Increased RiskReliance on IT
Impact of Failure
High
LowLow HighIT Usage
Probability of Failure
1970s 1980s 1990s 2000s
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.
10
The Digital Security GapCaught up in the pursuit of productivity improvements, management apparently overlooked security.
TotalSpending
High
Low
1990’s 2000’sTime
Total Security Spending
Total IT Spending
DigitalSecurity
Gap
11
6 Key Security Characteristics6 Key Security Characteristics
12
1) AlignedBusiness
Objectives
DigitalAssets
ITOrganization
DigitalSecurity
Aligned
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the security team is known as the Security Management Gap.
79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely.
13
2) Enterprise-Wide
Corporate
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
14
3) ContinuousReal-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
Not occasionally. Not periodically.
Continuously.Continuously.
15
4) Proactive
Initial AssessmentOngoing Monitoring
Periodic Assessment
High
RiskIntelligence
LowTime
Proactive
Traditional
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities.
16
5) Validated
Peer
3rd Party
Self
To a Unit
To a Business Objective
To a Standard
Rigor of Validation
Deployed
Validated
Tested
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models.
17
6) Formal
Doc
umen
ted
Minimally HighlyConfirmed
Min
imal
lyH
ighl
y
Documented
Formal
Experienced-
basedSituational
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
18
Technology and Business Objective Drives Requirements
Impact
High
LowLow HighProbability of Failure
Minimum Standards Zone
Security Requirements Zones
InformationKiosk
Managed Risk Zone
Trusted System Zone
Bank ATM Health CareSystem Financial
System
ElectricalPower
eCommerceSystem
PublicWeb Server
EmailServer
19
The Security AgendaThe Security Agenda
20
9 Strategic Areas of “The Security Agenda”
SecurityStrategy
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy
Asset & Service Management
Vulnerability Management
Entitlement Management
Business Continuity
21
Complex Organizational Transformation
TECHNOLOGY
PROCESSPEOP
LEAll 3
Components Needed
22
Intrusion
and Virus
Detection
Database
Router
Firewall
Web
Server
SNMP
Biometrics
Application
Operating
System
Intrusion and Virus Detection
23
Incident
Response
Program
Mobilize AdministerEvent
Lifecycle
Program
Lifecycle
Incident Response
24
Independent VerificationService Provider ComplianceData Registration
Ongoing MonitoringRe-certification
Stakeholder Expectations
Legislation Organization
Remediation Plans Training
Benchmarking/RoadmapsPeoplePolicies
OperationsTechnology
VERIFY
MAINTAIN
IMPROVE
DIAGNOSE
BASELINE
Privacy
25
Policies, Standards
and Guidelines
Policies, Standards, and Guidelines
26
Physical Security
PHYSICALSECURITY
Fences, Walls, GatesGuards, Cameras
Biometrics, Infrared,
Authentication, Surveillance
Biom
etric
s, In
frare
d,
Auth
entic
atio
n, S
urve
illanc
e
Structural
Proc
edur
al Digital
27
TECHNOLOGY
PROCESSPEOP
LECa
ble
and
Circ
uit
Portfolio
Financial
ProcurementContracts
Management and Track AssetsAutomate Processes Manage Asset Financial
Information
Budget AnalysisMana
ge C
onne
ctivi
tyan
d Ca
ble P
lant
Aid Decision-making
Streamline ProcessesManage and Track
Contracts
ASSETMANAGEMENT
Asset & Service Management
28
IT Process
CFO
Team
Expanding control
IT Audit
Team
CIO
Team
Security
Team
Accountability
Deployment
Knowledge
Expanding scope over critical infrastructure
Technology & People
Key
Assets
Team
Security
Systems
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Compliance
Audit Ability
Governance and Accountability
All Critical
Infrastructure
Workflow/Tracking
Feasible Deployment
Know Critical Assets
Serve and
Protect Systems
Configurations
Policies
Alerts
Just
Protect
Systems
Vulnerability Management
29
Entitlement
Management
Identity
Management
Access
ManagementSecure Portals
Data Model
Metadirectory
Authentication Management
Single Sign-On
Access Control
User Management
Policy Management
Entitlement Management
30
DEFINE
ANALYZE
DESIGN
IMPLEMENT
Business
Continuity
Roadmap
Business
Impact
AssessmentThreat
and Risk
Assessment
Recovery
Strategies
Business
Continuity
Plan
Plan
Maintenance
Program
Business Continuity
31
A Scorecard for Evaluation & Action
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Alig
ned
Ente
rpris
e-wid
eCo
ntin
uous
Proa
ctive
Valid
ated
Form
al
High Risk Medium Risk Low Risk
32
Service Management
C E O
Public, Media,Government Relations Security Committee
Planning Architecture Operations Monitoring
Security OfficerAsset ManagementPhysical Security
Continuity Planning
Privacy Officer
Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment
Requests for Proposals (RFP)
Standards & Guidelines Technical
Requirements/Design Technical Security
Architecture Technology Solutions
Incident Response Access Control/ Account
Management Investigations Standards/Solutions
Deployment Training & Awareness Vulnerability Management
Auditing Reporting Systems Monitoring Security Testing
Security Organizational Framework
33
The Roadmap for SuccessThe Roadmap for Success
34
Executive management must understand
Scenario-based simulations – Table-Top Exercises
The organizations responseCritical roles and responsibilitiesActions plans to minimize the effect of an
incidentMonitor and test responses
35
Model and Define RiskEstablish consistent threat categories
Digital Impact/RiskDigital Impact/Risk
Risk toRisk toCustomer SegmentCustomer Segment
Risk to MultipleRisk to MultipleCustomersCustomers
Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies
Core Process orCore Process orSystem ShutdownSystem Shutdown
TacticalTacticalInefficienciesInefficiencies
Dept. of HomelandSecurity Risk
Severe
High
Elevated
Guarded
Low1
2
3
4
5
Green
Blue
Yellow
Orange
Red
HomelandLevel
Category
Level
36
Frequency of Occurrence
High
LowLow High
Impact of Occurrence
Understand Risk Posture Curve
Low,1
Impact LevelGuard
ed,2Elev
ated,3
High,4Severe
,5
Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
You risk posture changes as the environment and technology changes
37
The Fulcrum of Control
Impact of Occurrence
High
LowLow High
Frequency of Occurrence
54
3
1
ImmediateAction
ROIDecision
Fulcrum of C
ontrol
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
2
38
Forces Affecting Risk Every time technology
is changed or deployed the risk posture curve moves
Management must recognize this and deploy security resources accordingly
Impact of Occurrence
High
LowLow High
Frequency of Occurrence
54
3
2
1
New or ChangedTechnology
RiskManagement
39
Manage Risk for a Competitive Advantage
Impact of Occurrence
High
Low
Low HighFrequency of Occurrence
1
2
3
4
5
Company AIndustry
Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
40
6 Characteristicsby Industry
FORMAL
3.48
4.09
3.25
3.603.64
3.88
VALIDATED
3.82
3.483.29
3.84
PROACTIVE2.91
2.88
3.40
3.03
3.00
3.16
CONTINUOUS4.05
3.413.52
3.31
4.13ENTERPRISEWIDE
2.77
3.003.18
3.353.52
3.94
ALIGNED 2.772.95
3.413.59
3.724.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
4.15
3.95
3.75
3.55
3.35
3.15
2.95
2.75
2.55
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
Auto/ManEnergyFinancial ServicesLife SciencesTech/MediaTelecom
41
Security “Orbit of Regard”
CEO
Products/Services
MarketShare
CustomerService
Growth
DigitalSecurity
2000s DigitalSecurity
1990s
DigitalSecurity
1980s
Security is a top executive issue
Today, companies will compete on being able to respond to a digital threat
Top executives must close the digital security gap.
42
Highly Effective Security Cultures:
are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.