enterprise risk managementseptember 2010miami, fl © 2010 enterprise risk management information...

Enterprise Risk Management September 2010Miami, FL

© 2010 Enterprise Risk Management

Information Security- Information Security- Facing the Risks in Facing the Risks in

Electronic Channels and Electronic Channels and Social MediaSocial Media



AgendaAgenda

Implementing a Comprehensive Security ProgramImplementing a Comprehensive Security Program

Conducting Security Risk Assessments – Best PracticesConducting Security Risk Assessments – Best Practices

Security Attack Trends and Prevention StrategiesSecurity Attack Trends and Prevention Strategies

Emerging Technologies and Social Media – Security Emerging Technologies and Social Media – Security Threats and Countermeasures Threats and Countermeasures



Implementing a Comprehensive Security Implementing a Comprehensive Security ProgramProgram



Information Security ProgramInformation Security Program

It is an initiative which serves to ensure that information It is an initiative which serves to ensure that information assets are properly protected.assets are properly protected.



Reasons for a Security ProgramReasons for a Security Program

Minimize costly risksMinimize costly risks

Provide a structure manner to address information securityProvide a structure manner to address information security

Align information security initiatives with business Align information security initiatives with business strategies, goals and objectives – IT Governancestrategies, goals and objectives – IT Governance

Comply with laws, regulations and industry standardsComply with laws, regulations and industry standards



Every organization’s information security program should Every organization’s information security program should be guided by the following: be guided by the following:


Plans for achieving information security goals and Plans for achieving information security goals and objectivesobjectives

Clear and comprehensive mission, goals, and objectivesClear and comprehensive mission, goals, and objectives

Performance measures to continuously monitor the Performance measures to continuously monitor the efficiency and effectiveness of identified goals and efficiency and effectiveness of identified goals and objectivesobjectives



An information security program should cover:An information security program should cover:

Security functionSecurity function

Security risk assessmentSecurity risk assessment

Security plansSecurity plans

Security policiesSecurity policies

Security standardsSecurity standards

Security proceduresSecurity procedures





Information assets ownershipInformation assets ownership

Classification of information assetsClassification of information assets

Information security laws, regulations and industry Information security laws, regulations and industry standards standards

Logical securityLogical security

Physical securityPhysical security

Disaster recovery and contingency planningDisaster recovery and contingency planning




An information security program should cover:An information security program should cover: Auditing and monitoringAuditing and monitoring Security incident responseSecurity incident response Security awareness and trainingSecurity awareness and training Human ResourcesHuman Resources Legal Legal Help Desk \ user supportHelp Desk \ user support





System life cycle managementSystem life cycle management

External service providersExternal service providers

Security reviewsSecurity reviews




Security Program Life Cycle Security Program Life Cycle

ISO 27001:2005



Security Program Life Cycle Security Program Life Cycle

Organizations should follow a life cycle approach in Organizations should follow a life cycle approach in developing, implementing and maintaining their information developing, implementing and maintaining their information security program. security program.

Establish ISMS Establish ISMS

Implement and Operate ISMS Implement and Operate ISMS

Monitor and Review ISMS Monitor and Review ISMS

Maintain and Improve ISMSMaintain and Improve ISMS

This approach ensures that security is an on-going and This approach ensures that security is an on-going and continually improving process. continually improving process.



Who Directs This Initiative?Who Directs This Initiative?

Board of DirectorsBoard of Directors

Top ManagementTop Management

Information Security Committee Information Security Committee



How Does a Security Program Affects My Job?How Does a Security Program Affects My Job?

Information security is part of every employee’s Information security is part of every employee’s

responsibility. responsibility.

Security policies, standards and procedures affect Security policies, standards and procedures affect

everyone – for example:everyone – for example:

– Each time someone enters the buildingEach time someone enters the building

– Each time a password is usedEach time a password is used

– Each time customer information is viewed or editedEach time customer information is viewed or edited



Ongoing MonitoringOngoing Monitoring

An effective information security program requires An effective information security program requires constant review.constant review.

Organizations should monitor the status of their Organizations should monitor the status of their programs to ensure that: programs to ensure that:

– Ongoing information security activities are providing Ongoing information security activities are providing appropriate support to the organization's mission.appropriate support to the organization's mission.

– Policies, standards and procedures are current Policies, standards and procedures are current and aligned with evolving technologies.and aligned with evolving technologies.

– Security controls are accomplishing their Security controls are accomplishing their intended purpose. intended purpose.



Conducting Security Risk Assessments – Best Conducting Security Risk Assessments – Best PracticesPractices



Security Risk AssessmentSecurity Risk Assessment

Phase II – System Inventory and Classification of AssetsPhase II – System Inventory and Classification of Assets

Phase III – Threat AnalysisPhase III – Threat Analysis

Phase IV – Security Controls Testing Phase IV – Security Controls Testing

Phase V – Implementation of Security ControlsPhase V – Implementation of Security Controls

Phase I – Project InitializationPhase I – Project Initialization

Phase VI – Monitor Security ControlsPhase VI – Monitor Security Controls



Phase I – Project InitializationPhase I – Project Initialization

Define the objectiveDefine the objective

Define the scopeDefine the scope

Define the method required (e.g., Qualitative, Quantitative) Define the method required (e.g., Qualitative, Quantitative)

Define the personnel requiredDefine the personnel required

Define the approach to gather the informationDefine the approach to gather the information

Define the deliverables per each phaseDefine the deliverables per each phase



Phase II – System Inventory and Classification of Phase II – System Inventory and Classification of AssetsAssets

Document the organization information assetsDocument the organization information assets– Consider all departments and business processesConsider all departments and business processes

– Consider information assets in physical and logical formatConsider information assets in physical and logical format

Classify the information assets:Classify the information assets:– CriticalCritical – the organization cannot operate without this information – the organization cannot operate without this information asset.asset.

– EssentialEssential – the organization needs the information asset at some – the organization needs the information asset at some point in time.point in time.

– NormalNormal – the organization can operate without this information asset – the organization can operate without this information asset for an extended period of time.for an extended period of time.



Phase II – System Inventory and Classification of Phase II – System Inventory and Classification of AssetsAssets

Deliverable – Phase IIDeliverable – Phase II

Asset Description

Classification (C/E/N)

Item No.

Asset Name

OtherOwner Location

1 Payroll 2000

Payroll Application

E Human Resources

Server - A



Phase III – Threat AnalysisPhase III – Threat Analysis

Identify security threatsIdentify security threats Identify security vulnerabilitiesIdentify security vulnerabilities Identify existing security controls to reduce the riskIdentify existing security controls to reduce the risk Determine the likelihood of occurrenceDetermine the likelihood of occurrence Determine the severity of impactDetermine the severity of impact Determine the risk levelDetermine the risk level



Phase III – Threat Analysis Phase III – Threat Analysis

Identify different types of security threatsIdentify different types of security threats– A starting point would be to consider those threats that might actually A starting point would be to consider those threats that might actually impact an enterpriseimpact an enterprise

Unauthorized accessDenial of ServiceSocial EngineeringTheftHurricaneFirePharmingPhishingVirus/Worms




Identify different types of security vulnerabilitiesIdentify different types of security vulnerabilities– Identify vulnerabilities associated with each threat to produce a Identify vulnerabilities associated with each threat to produce a threat/vulnerability pair. Vulnerabilities may be associated with either threat/vulnerability pair. Vulnerabilities may be associated with either a single or multiple threatsa single or multiple threats

There is not a disaster recovery planFlammable materials store in the Data Centre Lack of fire extinguishersUser-id and passwords by defaultOperating System without the last patchData center’s door does not have lockTFTP service enabled in the Unix hostsShared folder with Everyone full control




Identify existing controls to reduce the riskIdentify existing controls to reduce the risk– Identify existing controls that reduce:Identify existing controls that reduce:

The likelihood or probability of a threat exploiting an identified The likelihood or probability of a threat exploiting an identified security vulnerability.security vulnerability.

The magnitude of impact of the exploited vulnerability on the The magnitude of impact of the exploited vulnerability on the system.system.




Deliverable phase IIIDeliverable phase III

Vulnerability Name

Risk Description

Item No.

Threat Name

Impact Severity

Risk Level

Existing Controls

Likelihood of

Occurrence

1

1

Fire

Fire

Disaster Recovery plan

There is a DRP in place

Lack of fire extinguishers

There are not fire extinguishers

Low

Medium

ModerateDamaging

Damaging High

<description>

<description>



Phase IV – Security Control TestingPhase IV – Security Control Testing

Tests the security controls / safeguards that are in placeTests the security controls / safeguards that are in place Consider performing different types of security testsConsider performing different types of security tests Determine if the control exists and if the control works effectively and consistentlyDetermine if the control exists and if the control works effectively and consistently Determine the residual riskDetermine the residual risk Determine if additional security controls are requiredDetermine if additional security controls are required Develop an action plan to remediate security issues notedDevelop an action plan to remediate security issues noted



Phase IV – Security Control TestingPhase IV – Security Control Testing

Deliverable – Phase IVDeliverable – Phase IV

Recommend Safeguard Description

Item No.

Residual Likelihood

of Occurrence

The item number is used to reference the vulnerability defined in the Phase The item number is used to reference the vulnerability defined in the Phase III deliverableIII deliverable

Residual Impact

Severity

Residual Risk Level

1 Install fire extinguishers Low Damaging Moderate



Phase V – Implementation of Security ControlsPhase V – Implementation of Security Controls

Prioritize implementation of security controls:Prioritize implementation of security controls: Based on riskBased on risk

By business areaBy business area

By technical areaBy technical area



Phase VI – Monitoring Security ControlsPhase VI – Monitoring Security Controls

Implement mechanisms to monitor security controls. This Implement mechanisms to monitor security controls. This phase can include:phase can include:

Review of system and application logsReview of system and application logs

Review of system and application exception reportsReview of system and application exception reports

Different types of auditsDifferent types of audits

Different types of security assessmentsDifferent types of security assessments

Department self assessmentsDepartment self assessments



Security Attack Trends and Prevention StrategiesSecurity Attack Trends and Prevention Strategies



TitleTitle Malware infection leapt from Malware infection leapt from

50 percent of respondents to 50 percent of respondents to 64.3 percent of respondents64.3 percent of respondents

Financial Frauds increases Financial Frauds increases from 12% to 20%from 12% to 20%

Password Sniffing increases Password Sniffing increases from 9% to 17%from 9% to 17%

Laptop or mobile hardware Laptop or mobile hardware theft or loss remains the theft or loss remains the samesame



CountermeasuresCountermeasures

Apply patches and updatesApply patches and updates Implement strong security policies, procedures, and standardsImplement strong security policies, procedures, and standards Turn off and remove services that are not needed for normal Turn off and remove services that are not needed for normal

company network operationscompany network operations Perform filtering on all network traffic to ensure that malicious Perform filtering on all network traffic to ensure that malicious

activity and unauthorized communications are not taking placeactivity and unauthorized communications are not taking place Provide additional security awareness training to end usersProvide additional security awareness training to end users Install additional security software (e.g. Data Leakage products)Install additional security software (e.g. Data Leakage products)



CountermeasuresCountermeasures

Change or replace software or systemsChange or replace software or systems Apply sound configurations to system and applicationsApply sound configurations to system and applications Apply frequent updates to antivirus systemsApply frequent updates to antivirus systems Apply sound encryption mechanisms Apply sound encryption mechanisms Apply general logical and physical security measuresApply general logical and physical security measures



Source of Information for Developing a Security Source of Information for Developing a Security StrategyStrategy

Information security and privacy laws (GLBA, FACT Act)Information security and privacy laws (GLBA, FACT Act) Industry standards (ISO 27001:2005)Industry standards (ISO 27001:2005) Sector specific information security standards (PCI)Sector specific information security standards (PCI) Previous attacks on your organization / other organizationsPrevious attacks on your organization / other organizations General news reports of other attacks / incidentsGeneral news reports of other attacks / incidents Information shared in associations / reputable forumsInformation shared in associations / reputable forums Executive and management prioritiesExecutive and management priorities Contract with business partnersContract with business partners



Emerging Technologies and Social Media – Emerging Technologies and Social Media – Security Threats and CountermeasuresSecurity Threats and Countermeasures



Social Media and Networking

Social media technology involves the creation and Social media technology involves the creation and dissemination of content through social networks using the dissemination of content through social networks using the Internet.Internet.

Social media and networking is rapidly growing and Social media and networking is rapidly growing and becoming more popular than e-mail communication.becoming more popular than e-mail communication.

Examples: Facebook, Myspace, Twitter and LinkedInExamples: Facebook, Myspace, Twitter and LinkedIn



Security Issues Relevant to Social Media:

Social Engineering:Social Engineering: Exploits people Exploits people

Spam and Malware Attacks:Spam and Malware Attacks: Exploits systems Exploits systems

Disgruntled Employee:Disgruntled Employee: Reputational damage of the Reputational damage of the organizationorganization

Legal Issues:Legal Issues: Regulatory sanctions and fines assessed on Regulatory sanctions and fines assessed on the organizationthe organization



Countermeasures

Policies and ProceduresPolicies and Procedures– Corporate privacy protectionCorporate privacy protection

– Nondisclosure / posting of business-related contentNondisclosure / posting of business-related content

– Acceptable use in the workplaceAcceptable use in the workplace

– Acceptable use outside of the workplaceAcceptable use outside of the workplace

– Action plan for privacy breaches and escalationAction plan for privacy breaches and escalation



Countermeasures

Training and AwarenessTraining and Awareness– Communicate policies to employeesCommunicate policies to employees

– Inform employees of risks involved with social media sitesInform employees of risks involved with social media sites

– Social engineering trends and techniquesSocial engineering trends and techniques

Technical SafeguardsTechnical Safeguards– Up-to-date antivirus and antimalware controlsUp-to-date antivirus and antimalware controls

– Content filtering programs to restrict/limit accessContent filtering programs to restrict/limit access

Audits and AssessmentsAudits and Assessments



Emerging Technologies that can Help

Emerging security technologies Emerging security technologies – BiometricsBiometrics

– Self-encrypting hard drivesSelf-encrypting hard drives

– USB tokens for authenticationUSB tokens for authentication

– Mobile Device SecurityMobile Device Security• Authentication, antivirus, firewalls, anti-spam and encryption for mobile devicesAuthentication, antivirus, firewalls, anti-spam and encryption for mobile devices



Technologies that Require New Security Measures

Cloud ComputingCloud Computing– Share infrastructureShare infrastructure

– Becomes difficult to control and protectBecomes difficult to control and protect

Smart PhonesSmart Phones– Becoming the standard phonesBecoming the standard phones

– Another version of a regular computerAnother version of a regular computer

I-spoof and other ApplicationsI-spoof and other Applications– Spoof your telephone number and trick individuals who rely on itSpoof your telephone number and trick individuals who rely on it



Countering New Challenges

Establish and enforce strong authentication policies for Establish and enforce strong authentication policies for devices trying to access corporate networksdevices trying to access corporate networks

Require employees to use a corporate VPN and encryption Require employees to use a corporate VPN and encryption when handling sensitive datawhen handling sensitive data

Devices and software applications are configured as per Devices and software applications are configured as per configuration standardsconfiguration standards




Corporate security policies prevent workers from Corporate security policies prevent workers from transferring sensitive data to mobile devices or transferring sensitive data to mobile devices or unauthorized computersunauthorized computers

For laptops/netbooks consider air cards, which require a For laptops/netbooks consider air cards, which require a service plan, instead of hot spots for wireless connectionsservice plan, instead of hot spots for wireless connections




Establish ground rules for the use of devices like the iPad, Establish ground rules for the use of devices like the iPad, and develop policies and procedures that take the security and develop policies and procedures that take the security limitations of the device into consideration and adequately limitations of the device into consideration and adequately protect sensitive business dataprotect sensitive business data

Perform periodic risk and security assessmentsPerform periodic risk and security assessments

Set resource controlsSet resource controls




Provide security awareness and trainingProvide security awareness and training

Eliminate any unnecessary servicesEliminate any unnecessary services



Enterprise Risk Enterprise Risk ManagementManagement

Phone: 305.447-6750Phone: 305.447-6750

Fax: 305.447-6752Fax: 305.447-6752

e-mail: [email protected]: [email protected]

URL: www.emrisk.comURL: www.emrisk.com

enterprise risk managementseptember 2010miami, fl © 2010 enterprise risk management information...

Documents