security & privacy services presentation subtitle: 20pt arial regular, teal r045 | g182 | b179...
TRANSCRIPT
Security & Privacy Services
© 2005 IBM Corporation
Security/Identity & Privacy
Information Security
A Foundation forCompliance and Governance
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Agenda
What are the security obligations?
Optimizing the approach
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
The current landscape…
Sarbanes-Oxley New CICA and Bill 198
requirementsIntended to match SOX
Privacy legislationPIPEDA + Public Sector
Other provincial legislation
US and other global legislation More legislation and
regulation is expected, not less!
Bottom line: Increased involvement from Legal and a host of new audit requirements
Bernard Ebbers, 63, exits a federal courthouse with his wife Kristie in New York Tuesday. (Photo: AP)
Former WorldCom Chief Financial Officer Scott Sullivan is arrested in December 2002. (Photo: CBS/AP)
WorldCom Chief Guilty
Liability resides at the C-level
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations? Financial
Privacy
Public Expectation
Optimizing the approach
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Sarbanes-Oxley (SOX) is leading the trend in financial legislation…
Who does SOX affect directly? Companies traded on U.S. exchanges with revenues in excess of US $75m More than 1,200 non-American companies are registered & reporting to the SEC
and thus must be SOX-compliant Almost 500 of these are Canadian domiciled
Companies traded in other jurisdictions may expect comparable regulatory requirements soon Prior to SOX, the SEC usually deferred to home-country regulations in many areas Since 1991, Canadian companies listed in the U.S. have effectively been governed
by Canadian regulators under the Multi-Jurisdictional Disclosure System (MJDS) SOX contains no general exemption for MJDS issuers - expect & assume
Canadian regulators to maintain regulations very similar to those in the U.S.
Contains a number of key sections with security implications: Section 302, CFO & CEO Certification – focus in 2002 Section 404, - current focus Sections 409, 802 are important also
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Equivalent Canadian Rules
Bill 198 and Bill 41 (Ontario) Bill 198 is Ontario’s response to SOX, and seeks to restore investor confidence in
Ontario (primarily TSX) listed companies
Bill 41 contained several amendments to Bill 198
Primarily to facilitate shareholder lawsuits against corporations and directors, and through that vehicle force greater integrity in financial reporting and other public statements
Includes personal responsibility/liability of company officers
The rights of action are for misrepresentations/failure to make a timely disclosures
On of the key defences is due diligence
Multilateral Instruments – Passed by Provincial Securities Regulators 52-109, requiring CEO and CFO certification of annual and interim filings
– Filings do not contain misrepresentation or omissions– Appropriate design of disclosure and internal controls– Evaluation of the effectiveness of such controls– Disclosure of possibly material changes in such controls
52-111, reporting on internal control over financial reporting
Similar to SOX Sections 302 and 404
Canadian Initiatives
In effect
In effect
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
SOX by the numbers…
Section 302 – Personal Certification of Controls
Requirement CEO and CFO must personally certify to the accuracy of financial statements
and the efficacy of internal disclosure controls
General Implications− Establishing and enforcing disclosure controls and procedures at all levels of the
company− Quarterly evaluation of the efficacy of controls by the company− Disclosure to audit committee of all significant deficiencies, material
weaknesses, and acts of fraud− Establishing and emphasizing a culture of integrity
Security Implications Integrity of data
– No unauthorized modification
– Audit trail on authorized modifications
– Protection against viruses etc. Authentication and non-repudiation controls
In effect
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
SOX by the numbers…
Section 404 – Annual Report on Controls
Requirement Annual report by management on internal controls, attested by external audit firms
General Implications− Focus on process mapping and documentation of existing controls that have a bearing
on financial reporting, test for efficacy, and report on gaps and deficiencies
− Ability to monitor control compliance
Security Implications Choose and implement a comprehensive security controls framework
Measure and report against compliance with framework
Current focus
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
SOX by the numbers…
Section 409 – Realtime Disclosure
Requirement SEC to consider rules providing for real-time disclosure of material events
General Implications− Accelerated reporting requirements place a premium on disclosure controls
and quick quarterly close
Security Implications Availability of data
– Protection against denial of service attacks or other security problems that impact availability of data
35/60 Day Requirements in
2005
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
SOX by the numbers…
Section 802 – Records Retention
Requirement Criminal penalties for failure to comply with record retention policies, including
assurance of no destruction, alteration, or falsification of records
General Implications− Strengthened document management and retention practices
− Supports the establishment of ethical behavior
Security Implications Integrity of data
– No unauthorized access for change/erasure
– Control on allowed actions by authorized users (ex: no delete/modification)
– Protection against viruses etc.
– Stopping scheduled destruction
In effect
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations? Financial
Privacy
Public Expectation
Optimizing the approach
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Why Is Privacy Receiving So Much Focus? Technology has Changed the Playing Field
Pervasive computing: a geometric rise in the ability to track and gather information 7/24
The Internet: ability for anyone on the planet to send, share, obtain information instantly
Software: analytical and modeling capabilities to correlate, profile and evaluate The human interface has been replaced with the machine interface Technology, when misused, can be part of the problem, but can also be part of
the solution
Individual Concern - People feel they are losing control They suspect information is being collected without their knowledge They are not sure how it is being used, protected and who is being shared with They are seeing organizations making mistakes that expose their information They are experiencing annoyance, anxiety and damage (from marketing calls to
identity theft) They are taking action on their concerns (demanding explanations, not dealing
with an organization, not providing information, providing false information,)
Government Response: Governments have responded to these concerns with legislation (lots of it) They are starting to hold senior officers accountable and demand proof of
compliance
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Privacy Legislation around the Globe
OECD Privacy Principles (1980)
Public Sector Privacy and Freedom of Information ActsIn most western countries for many decades
Enacted or Pending Private Sector Ombnibus LegislationEuropean Data Protection Directive (1998)
Canadian Federal (PIPEDA, 2001-4), Quebec, BC, Alberta
Switzerland, Australia, Japan, Argentina, Hong Kong ....and growing
Enacted or Pending Private Sector Sectoral Legislation (US):Financial Sector - GLB (2001)
Health Sector - HIPAA (2002) – also Canada
Children's Privacy - COPPA (1999)
California – SB 1836 et al.
Related Legislation:Telecom, Health, Labour acts etc.
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
The 10 CSA Privacy Principles
1. Accountability Appropriate policies, Responsibility for data, Individuals assigned, 3 rd Parties
2. Identifying Purposes Documented, Reasonable, Before collection
3. Consent Informed, Not coerced, Provision for withdrawal
4. Limiting Collection Limited to purpose, Fair and lawful means
5. Limiting Use Disclosure and Retention New use = new consent, Retain only for purpose, Can anonymize
6. Accuracy Accurate for purpose, Avoid unnecessary updates
Safeguards1. Appropriate to data sensitivity, Physical/Organizational/Technology, 3rd Parties
Openness3. Publish policies/practices, Identify type of data and use/disclosure, Identify contact
1. Individual Access4. Disclose existence/use/disclosure, Respond promptly, Provide access/correction opportunity
Challenging Compliance5. Clear mechanism to receive and respond to challenges
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations? Financial
Privacy
Public Expectation
Optimizing the approach
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Public expectation leads legislation…
The lines of jurisdiction are blurring Ex: privacy, which law applies – is it the location of the client? The
server? The organization? The data?
The public/press expect a minimum standard, regardless of legislation
Many public sector organizations are taking note of private sector standards (SOX, PIPEDA etc.) due to public expectation
Hard to argue that you have no moral obligation to meet emerging global norms for standards of care – brand is at stake
Only a matter of time before legislation follows…
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
California Wave – the SB 1836 example
SB 1836 Essentially says that if you suspect you have had a security breach that may
have compromised the personal information of a California resident, you must immediately inform each and every individual involved
There have been numerous incidents of personal data compromise in the last 3 months:
Bank of America, Ameritrade, Time Warner (loss of tapes)
ChoicePoint (social engineering)
LexisNexis (hackers)
The results: Severe brand/stock damage and negative press
Had to apply SB 1836 remedial actions for all, not just California residents
Has sparked a torrent of legislative activity in the US
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Privacy Commissioner Releases Findings from CIBC Privacy Inquiry
On April 18, 2005, the Office of the Privacy Commissioner of Canada (OPC) released the findings of its investigation into the well-publicized Canadian Imperial Bank of Canada’s (“CIBC”) well-publicized privacy breach. The incident involved a series of misdirected faxes containing the personal information of CIBC customers that were sent by different branches of the bank to a company in Quebec and another company in the United States. The misdirected faxes were sent between 2001 and 2004 and the bank did not notify customers whose privacy was breached until the matter was picked up by media outlets.
The Privacy Commissioner, Jennifer Stoddart, stated that the failure of CIBC’s privacy practices in functioning properly should serve as a wake-up call to all Canadian organizations. She indicated that the act of publishing a privacy policy does not by itself mean that a business has complied with the Personal Information Protection and Electronic Documents Act (PIPEDA). A business must take further steps to ensure that all its employees are aware of and adhere to the privacy policy and all breaches in the privacy policy are brought to the immediate attention of its privacy officials.
Among the Privacy Commissioner’s recommendations to CIBC are that the bank address privacy concerns as soon as they arise and that it notify affected customers when a breach occurs.
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Most Common Security Compliance Challenges and Issues
Making the policies operational Translating policies into documented operational procedures and
training staff
Senior management commitment and participation
Perimeter mentality Ex: not implementing true need-to-know access
Implementing point solutions vs. a comprehensive approach
Managing the entire lifecycle for access and entitlement rights
Prioritizing and managing actions to close gaps Not just once but as part of an ongoing program
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Why Comply?
C-Level Impact Penalties for non-compliance and/or violation of SOX and related regulations/legislation
are severe Financial penalties Risk of criminal conviction and incarceration, not solely civil prosecution
Competitive Advantage The corrective actions taken will probably improve operational quality and flexibility Bankers and the investment community - choice between a compliant versus a non-
compliant investment opportunity? Potential new Board members - reluctant to join an organization that is not (yet)
compliant? Suppliers or business partners (especially those facing regulatory oversight) expecting
compliance?
Brand Trust Level Increasingly important in a world where more and more client interactions are mediated
by IT versus person-person interfaces A big factor in consumer choice of companies to deal with Can lead to higher quality data to make business decisions with A key to customer loyalty
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach Big Picture Thinking
Governance Framework
Business Balance - ROI
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
The Problem
Many Organizations don’t have a consolidated picture of all the regulations they must comply with:
They deal with them one at a time on an ad hoc basis Especially true of Organizations with multiple LOBs
Leads to ineffective and/or inefficient compliance measures:
Fractured communications No central management system nor identified ownership for information Sub-optimized approached to things like information retention, disposal Multiple parallel governance schemes
Most legislation not prescriptive – easy to miss a smart way to comply if there is no overall “best practice” approach to serve as a reference
Ex: each separate project would have to determine what “keep the information secure” means
Very little “case history” to go on
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
The big picture - a smart implementation approach is needed…
ITILProcess
COBITControl
ISO17799Security
SOX
PIPEDAOSFI
Legislation
Legislation implies the adoption of various security/information
management standards
How do I implement
all of these?
CICASecurity
Industry Specific Standard
s
COSO
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Recommend a broad approach…
IM DisciplineS
OX
404
PIP
ED
A
Etc.
-Business Continuity Practices-Access Control-Managing Preferences-Information Classification-Roles and Responsibilities-Change Control-Retention-Etc.
XX
XXX
XXXX
X
X
X
Governance
Risk management processCompliance programCorrective action monitoringEtc.
XXX
XX
Critical FinancialAssets
Personally Identifiable Information
Customized to
requirement of legislation
Determine all applicable legal and business obligations Pick comprehensive, recognized frameworks to follow (ITIL, ISO 17799) Drive from the discipline/governance perspective and make legislative customizations
where appropriate
Best Practices from
ISO17799, ITIL etc.
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Big Picture Thinking
Senior Management Commitment Recognition as a strategic issue - senior managers committed, involved, informed
Owner is a senior officer and/or has direct access to top levels Setting High Minimum Standards Across the Enterprise
A response to multiple sets of regulations
Adopt best practices on the core principles
Minimal local customization where necessary Active Externally
Gain a voice in the public policy debate
Gain external benchmarks:
– Leverage trade associations, industry organizations
– Attend conferences, get independent/external view, share Viewing Compliance as a Competitive Advantage
Will provide better data quality for making decisions
Organization will be more able to adapt to changing environments
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Big Picture Thinking
Approaching as an Ongoing Business Requirement Permanent cross-functional steering committees, teams Systematic, repeatable assessment against objectives Tracking legislative, marketplace, customer, technology trends
Process Focus Detailed risk/opportunity analysis of information handling processes Developing compliance specific processes, ex: Disclosure, Access to
personal information Making Security and Privacy Systemic, Embedded
Building considerations into all key process and compliance checkpoints Assigning ownership at all levels
Leveraging Technology Identifying where technology can provide risk mitigation and opportunity
enhancement Extending Enterprise Architecture to include Security and Privacy Architecture
Develop Roadmap for Governance …
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach Big Picture Thinking
Governance Framework
Business Balance - ROI
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Security & Privacy Roadmap
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
The key: pull it all together with strong, business-focused security architecture and processesCustomer Security Considerations
What affects do the new regulations and legislations have on their specific industry
A good Security Governance (policies) supports the Security architecture, which turns defines the technologies to deploy
A good Security Management Program ensures enforcement of security policy and feedback into policy development
What controls are in place to measure compliancy Patch management Vulnerability assessments Threat, Risk Assessment (TRAs)
What is the organizations core competency; Consider where you are strong and where they are not:
Security specific skills Monitoring 24x7 Incident response Security information data management
A good user-awareness program support the security framework
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
The key: (con’t)
Customer Security Considerations
A strong need to promote efficiencies and gain real cost savings in user administration through better identity management
A good security architecture can address the concerns of the wireless networks
A security workshop is a good place to start to understanding an organization current state
Security is over the walls of an organization’s perimeters; it’s embedded in every aspect a business’ infrastructure:
Facility
Legal
HR
IT
Audit
And the list goes on!
Make Security a part of every solution!
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach Big Picture Thinking
Governance Framework
Business Balance - ROI
Making security operational and sustainable
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Security & Privacy ROI
Security
Threat Priority
Speed
TechnicalFeasibility
Privacy and Way of Life
Sustainability
Effectiveness
Cost
Economic Disruption
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Provides value statements for the business and shareholders
Aligns Security and Privacy projects to the strategic direction of a corporation
Engages prior to specific solution decisions
Clearly demonstrates value delivered from Security and Privacy initiatives
Provides a thorough assessment of the ROI and business impact of potential solution(s)
Leverages a consistent framework for prioritizing initiatives
Integrates solution implementation with business strategy
Security and Privacy ROIMake better decisions up-front, driving more effective implementation downstream
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Various factors should be considered when deciding whether to perform a Security and Privacy ROI assessment
Company is seeking to formulate an S & P strategy and wants to understand how it impacts their business & infrastructure
Company is seeking to justify a set of specific initiatives
Company could benefit from “leave-behind” project/initiative evaluation
Organizational change buy-in requires rigorous and dependable business case
Company financial function has their own set of tools and methodology for evaluating project financial impact
Results are dependent on the availability of good data
Favorable Environment Unfavorable Environment
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach
Making security operational and sustainable Managed Security Services
Identity Management
Compliance Tools
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Key Customer Initiatives
Improve the collection and interpretation of security data through a combination of tools and intelligence services, to provide better response to security events.
Implement an identity management solution across the enterprise in order to know and manage who has access to what, where and why.
Align and integrate IT Security Threat and Risk Assessment with enterprise risk management framework.
Do all of the above in a cost effective manner.
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach
Making security operational and sustainable Managed Security Services
Identity Management
Compliance Tools
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
There is also a strong need to get more value out of the security controls deployed, while learning to leverage more than just technology
Security devices can provide a great deal of timely information about what is going on across the enterprise, but there are a number of typical problems that make it hard to get your full value out of them.
Information overload
The need for 24x7 monitoring with a limited budget
Dealing with many different, incompatible formats for logged data
Long term storage requirements can overload most organizations
Separating real-world security intelligence from the chaff
But it is also important to keep in mind that more information can typically come out of a strong use of people, process and technology, than with just technology alone.
“Data mining and correlation functionality – It’s one thing to be able to see an alert in real-time, quite another to correlate it with other data points. Organizations wishing to correlate data with have to turn to products like Intellitactics, netForensics and OpenSystems’ Private I, or Develop home-grown solutions.”
Greg Shipley; Network Computing
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Benefits to Out-Sourcing Security
“The results from engaging a reputable, competent MSSP have the potential to be far superior to anything an organization can achieve on its own. “
Organizations’ recognizes that there is a significant amount of thought that must go into any decision to out-source IT Security services. However, there are compelling reasons.
Recent events have demonstrated the need to pay attention to security Many organizations look to managed services to provide rapid detection and notification on increasing threats. Network down-time and security breaches erode customer trust and satisfaction Multi-vendor security technologies require integration to provide correlation, analysis and intelligence. The cost of a managed security service is typically less than hiring in-houseThere is a shortage of qualified information security personnel An increased need for 24x7 monitoring Coordinated access to security processes, programs and intellectuals provides deeper and broader security services
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
MSS Value Benefits
Staffing
24 x 7 coverageSecurity focusedDraw on Global capabilitiesProduct and professional certificationsSkills consistently updatedExperienced resources to deal with complex issues
Management
Fixed monthly price (controlled budget)Care & Feed (established processes)
o Monitoringo Tuningo Reportingo Analysiso Updates & patcheso Testing in a Labo Research (peers, newsgroups, vendors, mailing lists, websites)
Infrastructure End-to-end servicebundled service: Hardware, Software & Services.Technology refresh as requiredManaged & controllable costs
Service Delivery SLA AlertingIncident managementCorrelation, Analysis and intelligences
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Security Intelligence
Incident Management / Forensic Investigation
Vulnerability Analysis
IDS/IPS Analysis
Trend Reporting
Produce actionable intelligence from the raw data collected by Managed Security Services.
Secu
rity Intellig
ence
Vulnerability Scanning
Anti-Virus
Vulnerability Assessment
Security Policy Verification
Intrusion Detection
Incident Management
Information Sec. Adv.
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach
Making security operational and sustainable Managed Security Services
Identity Management
Compliance Tools
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Typical Inefficient Process: Provisioning & De-Provisioning Users
NewUser
Request for Access
Generated
Policy & Role Examined
Approval Routing
User with Accounts
AdministratorsCreate Accounts
Account turn-off performance: 30-60% of accounts are invalid
Costly, 1 administrator only handles 300-500 users
Elapsed turn-on time: up to 12 days per user
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
● Increase Business Agility of the way your people work and your business processes perform
● Manage Complexity with single sign-on and unified user experience. Comply with regulations and audit requirements
● Help reduce the cost of security administration and support costs
● Optimize IT Resources by controlling “who has access to what” with end-to-end security management
Identity Management is a Business Imperative
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
What are the security obligations?
Optimizing the approach
Making security operational and sustainable Managed Security Services
Identity Management
Compliance Tools
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Governance is the oversight role and part and parcel of setting strategic objectives. Risk management evaluates all relevant business risks and controls and monitors mitigation actions in a structured way.
Compliance is the execution of these objectives, based on risk tolerance.
PwC
The Risk Intelligent Solution
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Governance and risk management come first; Compliance follows
With such intense focus on compliance, many companies are jumping in head first to solve the most glaring issues, but governance (corporate, IT, or other) and appropriate management of business and operation risk must come first.
John Hagerty AMR Research John Hagerty AMR Research
The Risk Intelligent Solution
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
Risk Map
The Map shows relative size, relationship and current Status of risks
Click on a Risk and hit the Information button to reveal more details
Trend analysis of the last 6 Status reports
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
• Catalogue critical organizational assets/business processes;
• Identify the potential forms of loss to these assets;
• Identify and rate the threats that could impact those assets;
• Discover vulnerabilities that could allow those threats to occur;
• Identify the cost effective safeguards to reduce and/or eliminate potential threats;
• Determine compliance against business practice standards such as ISO 17799, COBIT, Sarbanes–Oxley, and Bill C6; and
• Utilize reporting engine and simulator to determine best overall Organization Strategy.
Overall Acertus™ Solution Objectives
The Risk Intelligent Solution
Security/Identity and Privacy May, 2005© 2005 IBM Corporation
For further information, contact:
Nigel Brown
e-mail: [email protected]
Phone: (416) 478-8111
Laura Wills
email: [email protected]
Phone: (403) 539-3777
Brian Zerr
email: [email protected]
Phone: (306) 565-4297