security & privacy services presentation subtitle: 20pt arial regular, teal r045 | g182 | b179...

Security & Privacy Services

© 2005 IBM Corporation

Security/Identity & Privacy

Information Security

A Foundation forCompliance and Governance

Security/Identity and Privacy May, 2005© 2005 IBM Corporation

Agenda

What are the security obligations?

Optimizing the approach

Making security operational and sustainable


The current landscape…

Sarbanes-Oxley New CICA and Bill 198

requirementsIntended to match SOX

Privacy legislationPIPEDA + Public Sector

Other provincial legislation

US and other global legislation More legislation and

regulation is expected, not less!

Bottom line: Increased involvement from Legal and a host of new audit requirements

Bernard Ebbers, 63, exits a federal courthouse with his wife Kristie in New York Tuesday. (Photo: AP)

Former WorldCom Chief Financial Officer Scott Sullivan is arrested in December 2002. (Photo: CBS/AP)

WorldCom Chief Guilty

Liability resides at the C-level


What are the security obligations? Financial

Privacy

Public Expectation




Sarbanes-Oxley (SOX) is leading the trend in financial legislation…

Who does SOX affect directly? Companies traded on U.S. exchanges with revenues in excess of US $75m More than 1,200 non-American companies are registered & reporting to the SEC

and thus must be SOX-compliant Almost 500 of these are Canadian domiciled

Companies traded in other jurisdictions may expect comparable regulatory requirements soon Prior to SOX, the SEC usually deferred to home-country regulations in many areas Since 1991, Canadian companies listed in the U.S. have effectively been governed

by Canadian regulators under the Multi-Jurisdictional Disclosure System (MJDS) SOX contains no general exemption for MJDS issuers - expect & assume

Canadian regulators to maintain regulations very similar to those in the U.S.

Contains a number of key sections with security implications: Section 302, CFO & CEO Certification – focus in 2002 Section 404, - current focus Sections 409, 802 are important also


Equivalent Canadian Rules

Bill 198 and Bill 41 (Ontario) Bill 198 is Ontario’s response to SOX, and seeks to restore investor confidence in

Ontario (primarily TSX) listed companies

Bill 41 contained several amendments to Bill 198

Primarily to facilitate shareholder lawsuits against corporations and directors, and through that vehicle force greater integrity in financial reporting and other public statements

Includes personal responsibility/liability of company officers

The rights of action are for misrepresentations/failure to make a timely disclosures

On of the key defences is due diligence

Multilateral Instruments – Passed by Provincial Securities Regulators 52-109, requiring CEO and CFO certification of annual and interim filings

– Filings do not contain misrepresentation or omissions– Appropriate design of disclosure and internal controls– Evaluation of the effectiveness of such controls– Disclosure of possibly material changes in such controls

52-111, reporting on internal control over financial reporting

Similar to SOX Sections 302 and 404

Canadian Initiatives

In effect

In effect


SOX by the numbers…

Section 302 – Personal Certification of Controls

Requirement CEO and CFO must personally certify to the accuracy of financial statements

and the efficacy of internal disclosure controls

General Implications− Establishing and enforcing disclosure controls and procedures at all levels of the

company− Quarterly evaluation of the efficacy of controls by the company− Disclosure to audit committee of all significant deficiencies, material

weaknesses, and acts of fraud− Establishing and emphasizing a culture of integrity

Security Implications Integrity of data

– No unauthorized modification

– Audit trail on authorized modifications

– Protection against viruses etc. Authentication and non-repudiation controls

In effect



Section 404 – Annual Report on Controls

Requirement Annual report by management on internal controls, attested by external audit firms

General Implications− Focus on process mapping and documentation of existing controls that have a bearing

on financial reporting, test for efficacy, and report on gaps and deficiencies

− Ability to monitor control compliance

Security Implications Choose and implement a comprehensive security controls framework

Measure and report against compliance with framework

Current focus



Section 409 – Realtime Disclosure

Requirement SEC to consider rules providing for real-time disclosure of material events

General Implications− Accelerated reporting requirements place a premium on disclosure controls

and quick quarterly close

Security Implications Availability of data

– Protection against denial of service attacks or other security problems that impact availability of data

35/60 Day Requirements in

2005



Section 802 – Records Retention

Requirement Criminal penalties for failure to comply with record retention policies, including

assurance of no destruction, alteration, or falsification of records

General Implications− Strengthened document management and retention practices

− Supports the establishment of ethical behavior

Security Implications Integrity of data

– No unauthorized access for change/erasure

– Control on allowed actions by authorized users (ex: no delete/modification)

– Protection against viruses etc.

– Stopping scheduled destruction

In effect



Privacy

Public Expectation




Why Is Privacy Receiving So Much Focus? Technology has Changed the Playing Field

Pervasive computing: a geometric rise in the ability to track and gather information 7/24

The Internet: ability for anyone on the planet to send, share, obtain information instantly

Software: analytical and modeling capabilities to correlate, profile and evaluate The human interface has been replaced with the machine interface Technology, when misused, can be part of the problem, but can also be part of

the solution

Individual Concern - People feel they are losing control They suspect information is being collected without their knowledge They are not sure how it is being used, protected and who is being shared with They are seeing organizations making mistakes that expose their information They are experiencing annoyance, anxiety and damage (from marketing calls to

identity theft) They are taking action on their concerns (demanding explanations, not dealing

with an organization, not providing information, providing false information,)

Government Response: Governments have responded to these concerns with legislation (lots of it) They are starting to hold senior officers accountable and demand proof of

compliance


Privacy Legislation around the Globe

OECD Privacy Principles (1980)

Public Sector Privacy and Freedom of Information ActsIn most western countries for many decades

Enacted or Pending Private Sector Ombnibus LegislationEuropean Data Protection Directive (1998)

Canadian Federal (PIPEDA, 2001-4), Quebec, BC, Alberta

Switzerland, Australia, Japan, Argentina, Hong Kong ....and growing

Enacted or Pending Private Sector Sectoral Legislation (US):Financial Sector - GLB (2001)

Health Sector - HIPAA (2002) – also Canada

Children's Privacy - COPPA (1999)

California – SB 1836 et al.

Related Legislation:Telecom, Health, Labour acts etc.


The 10 CSA Privacy Principles

1. Accountability Appropriate policies, Responsibility for data, Individuals assigned, 3 rd Parties

2. Identifying Purposes Documented, Reasonable, Before collection

3. Consent Informed, Not coerced, Provision for withdrawal

4. Limiting Collection Limited to purpose, Fair and lawful means

5. Limiting Use Disclosure and Retention New use = new consent, Retain only for purpose, Can anonymize

6. Accuracy Accurate for purpose, Avoid unnecessary updates

Safeguards1. Appropriate to data sensitivity, Physical/Organizational/Technology, 3rd Parties

Openness3. Publish policies/practices, Identify type of data and use/disclosure, Identify contact

1. Individual Access4. Disclose existence/use/disclosure, Respond promptly, Provide access/correction opportunity

Challenging Compliance5. Clear mechanism to receive and respond to challenges



Privacy

Public Expectation




Public expectation leads legislation…

The lines of jurisdiction are blurring Ex: privacy, which law applies – is it the location of the client? The

server? The organization? The data?

The public/press expect a minimum standard, regardless of legislation

Many public sector organizations are taking note of private sector standards (SOX, PIPEDA etc.) due to public expectation

Hard to argue that you have no moral obligation to meet emerging global norms for standards of care – brand is at stake

Only a matter of time before legislation follows…


California Wave – the SB 1836 example

SB 1836 Essentially says that if you suspect you have had a security breach that may

have compromised the personal information of a California resident, you must immediately inform each and every individual involved

There have been numerous incidents of personal data compromise in the last 3 months:

Bank of America, Ameritrade, Time Warner (loss of tapes)

ChoicePoint (social engineering)

LexisNexis (hackers)

The results: Severe brand/stock damage and negative press

Had to apply SB 1836 remedial actions for all, not just California residents

Has sparked a torrent of legislative activity in the US


Privacy Commissioner Releases Findings from CIBC Privacy Inquiry

On April 18, 2005, the Office of the Privacy Commissioner of Canada (OPC) released the findings of its investigation into the well-publicized Canadian Imperial Bank of Canada’s (“CIBC”) well-publicized privacy breach. The incident involved a series of misdirected faxes containing the personal information of CIBC customers that were sent by different branches of the bank to a company in Quebec and another company in the United States. The misdirected faxes were sent between 2001 and 2004 and the bank did not notify customers whose privacy was breached until the matter was picked up by media outlets.

The Privacy Commissioner, Jennifer Stoddart, stated that the failure of CIBC’s privacy practices in functioning properly should serve as a wake-up call to all Canadian organizations. She indicated that the act of publishing a privacy policy does not by itself mean that a business has complied with the Personal Information Protection and Electronic Documents Act (PIPEDA). A business must take further steps to ensure that all its employees are aware of and adhere to the privacy policy and all breaches in the privacy policy are brought to the immediate attention of its privacy officials.

Among the Privacy Commissioner’s recommendations to CIBC are that the bank address privacy concerns as soon as they arise and that it notify affected customers when a breach occurs.


Most Common Security Compliance Challenges and Issues

Making the policies operational Translating policies into documented operational procedures and

training staff

Senior management commitment and participation

Perimeter mentality Ex: not implementing true need-to-know access

Implementing point solutions vs. a comprehensive approach

Managing the entire lifecycle for access and entitlement rights

Prioritizing and managing actions to close gaps Not just once but as part of an ongoing program


Why Comply?

C-Level Impact Penalties for non-compliance and/or violation of SOX and related regulations/legislation

are severe Financial penalties Risk of criminal conviction and incarceration, not solely civil prosecution

Competitive Advantage The corrective actions taken will probably improve operational quality and flexibility Bankers and the investment community - choice between a compliant versus a non-

compliant investment opportunity? Potential new Board members - reluctant to join an organization that is not (yet)

compliant? Suppliers or business partners (especially those facing regulatory oversight) expecting

compliance?

Brand Trust Level Increasingly important in a world where more and more client interactions are mediated

by IT versus person-person interfaces A big factor in consumer choice of companies to deal with Can lead to higher quality data to make business decisions with A key to customer loyalty



Optimizing the approach Big Picture Thinking

Governance Framework

Business Balance - ROI



The Problem

Many Organizations don’t have a consolidated picture of all the regulations they must comply with:

They deal with them one at a time on an ad hoc basis Especially true of Organizations with multiple LOBs

Leads to ineffective and/or inefficient compliance measures:

Fractured communications No central management system nor identified ownership for information Sub-optimized approached to things like information retention, disposal Multiple parallel governance schemes

Most legislation not prescriptive – easy to miss a smart way to comply if there is no overall “best practice” approach to serve as a reference

Ex: each separate project would have to determine what “keep the information secure” means

Very little “case history” to go on


The big picture - a smart implementation approach is needed…

ITILProcess

COBITControl

ISO17799Security

SOX

PIPEDAOSFI

Legislation

Legislation implies the adoption of various security/information

management standards

How do I implement

all of these?

CICASecurity

Industry Specific Standard

s

COSO


Recommend a broad approach…

IM DisciplineS

OX

404

PIP

ED

A

Etc.

-Business Continuity Practices-Access Control-Managing Preferences-Information Classification-Roles and Responsibilities-Change Control-Retention-Etc.

XX

XXX

XXXX

X

X

X

Governance

Risk management processCompliance programCorrective action monitoringEtc.

XXX

XX

Critical FinancialAssets

Personally Identifiable Information

Customized to

requirement of legislation

Determine all applicable legal and business obligations Pick comprehensive, recognized frameworks to follow (ITIL, ISO 17799) Drive from the discipline/governance perspective and make legislative customizations

where appropriate

Best Practices from

ISO17799, ITIL etc.


Big Picture Thinking

Senior Management Commitment Recognition as a strategic issue - senior managers committed, involved, informed

Owner is a senior officer and/or has direct access to top levels Setting High Minimum Standards Across the Enterprise

A response to multiple sets of regulations

Adopt best practices on the core principles

Minimal local customization where necessary Active Externally

Gain a voice in the public policy debate

Gain external benchmarks:

– Leverage trade associations, industry organizations

– Attend conferences, get independent/external view, share Viewing Compliance as a Competitive Advantage

Will provide better data quality for making decisions

Organization will be more able to adapt to changing environments


Big Picture Thinking

Approaching as an Ongoing Business Requirement Permanent cross-functional steering committees, teams Systematic, repeatable assessment against objectives Tracking legislative, marketplace, customer, technology trends

Process Focus Detailed risk/opportunity analysis of information handling processes Developing compliance specific processes, ex: Disclosure, Access to

personal information Making Security and Privacy Systemic, Embedded

Building considerations into all key process and compliance checkpoints Assigning ownership at all levels

Leveraging Technology Identifying where technology can provide risk mitigation and opportunity

enhancement Extending Enterprise Architecture to include Security and Privacy Architecture

Develop Roadmap for Governance …


Security & Privacy Roadmap


The key: pull it all together with strong, business-focused security architecture and processesCustomer Security Considerations

What affects do the new regulations and legislations have on their specific industry

A good Security Governance (policies) supports the Security architecture, which turns defines the technologies to deploy

A good Security Management Program ensures enforcement of security policy and feedback into policy development

What controls are in place to measure compliancy Patch management Vulnerability assessments Threat, Risk Assessment (TRAs)

What is the organizations core competency; Consider where you are strong and where they are not:

Security specific skills Monitoring 24x7 Incident response Security information data management

A good user-awareness program support the security framework


The key: (con’t)

Customer Security Considerations

A strong need to promote efficiencies and gain real cost savings in user administration through better identity management

A good security architecture can address the concerns of the wireless networks

A security workshop is a good place to start to understanding an organization current state

Security is over the walls of an organization’s perimeters; it’s embedded in every aspect a business’ infrastructure:

Facility

Legal

HR

IT

Audit

And the list goes on!

Make Security a part of every solution!


Security & Privacy ROI

Security

Threat Priority

Speed

TechnicalFeasibility

Privacy and Way of Life

Sustainability

Effectiveness

Cost

Economic Disruption


Provides value statements for the business and shareholders

Aligns Security and Privacy projects to the strategic direction of a corporation

Engages prior to specific solution decisions

Clearly demonstrates value delivered from Security and Privacy initiatives

Provides a thorough assessment of the ROI and business impact of potential solution(s)

Leverages a consistent framework for prioritizing initiatives

Integrates solution implementation with business strategy

Security and Privacy ROIMake better decisions up-front, driving more effective implementation downstream


Various factors should be considered when deciding whether to perform a Security and Privacy ROI assessment

Company is seeking to formulate an S & P strategy and wants to understand how it impacts their business & infrastructure

Company is seeking to justify a set of specific initiatives

Company could benefit from “leave-behind” project/initiative evaluation

Organizational change buy-in requires rigorous and dependable business case

Company financial function has their own set of tools and methodology for evaluating project financial impact

Results are dependent on the availability of good data

Favorable Environment Unfavorable Environment




Making security operational and sustainable Managed Security Services

Identity Management

Compliance Tools


Key Customer Initiatives

Improve the collection and interpretation of security data through a combination of tools and intelligence services, to provide better response to security events.

Implement an identity management solution across the enterprise in order to know and manage who has access to what, where and why.

Align and integrate IT Security Threat and Risk Assessment with enterprise risk management framework.

Do all of the above in a cost effective manner.





Identity Management

Compliance Tools


There is also a strong need to get more value out of the security controls deployed, while learning to leverage more than just technology

Security devices can provide a great deal of timely information about what is going on across the enterprise, but there are a number of typical problems that make it hard to get your full value out of them.

Information overload

The need for 24x7 monitoring with a limited budget

Dealing with many different, incompatible formats for logged data

Long term storage requirements can overload most organizations

Separating real-world security intelligence from the chaff

But it is also important to keep in mind that more information can typically come out of a strong use of people, process and technology, than with just technology alone.

“Data mining and correlation functionality – It’s one thing to be able to see an alert in real-time, quite another to correlate it with other data points. Organizations wishing to correlate data with have to turn to products like Intellitactics, netForensics and OpenSystems’ Private I, or Develop home-grown solutions.”

Greg Shipley; Network Computing


Benefits to Out-Sourcing Security

“The results from engaging a reputable, competent MSSP have the potential to be far superior to anything an organization can achieve on its own. “

Organizations’ recognizes that there is a significant amount of thought that must go into any decision to out-source IT Security services. However, there are compelling reasons.

Recent events have demonstrated the need to pay attention to security Many organizations look to managed services to provide rapid detection and notification on increasing threats. Network down-time and security breaches erode customer trust and satisfaction Multi-vendor security technologies require integration to provide correlation, analysis and intelligence. The cost of a managed security service is typically less than hiring in-houseThere is a shortage of qualified information security personnel An increased need for 24x7 monitoring Coordinated access to security processes, programs and intellectuals provides deeper and broader security services


MSS Value Benefits

Staffing

24 x 7 coverageSecurity focusedDraw on Global capabilitiesProduct and professional certificationsSkills consistently updatedExperienced resources to deal with complex issues

Management

Fixed monthly price (controlled budget)Care & Feed (established processes)

o Monitoringo Tuningo Reportingo Analysiso Updates & patcheso Testing in a Labo Research (peers, newsgroups, vendors, mailing lists, websites)

Infrastructure End-to-end servicebundled service: Hardware, Software & Services.Technology refresh as requiredManaged & controllable costs

Service Delivery SLA AlertingIncident managementCorrelation, Analysis and intelligences


Security Intelligence

Incident Management / Forensic Investigation

Vulnerability Analysis

IDS/IPS Analysis

Trend Reporting

Produce actionable intelligence from the raw data collected by Managed Security Services.

Secu

rity Intellig

ence

Vulnerability Scanning

Anti-Virus

Vulnerability Assessment

Security Policy Verification

Intrusion Detection

Incident Management

Information Sec. Adv.





Identity Management

Compliance Tools


Typical Inefficient Process: Provisioning & De-Provisioning Users

NewUser

Request for Access

Generated

Policy & Role Examined

Approval Routing

User with Accounts

AdministratorsCreate Accounts

Account turn-off performance: 30-60% of accounts are invalid

Costly, 1 administrator only handles 300-500 users

Elapsed turn-on time: up to 12 days per user


● Increase Business Agility of the way your people work and your business processes perform

● Manage Complexity with single sign-on and unified user experience. Comply with regulations and audit requirements

● Help reduce the cost of security administration and support costs

● Optimize IT Resources by controlling “who has access to what” with end-to-end security management

Identity Management is a Business Imperative





Identity Management

Compliance Tools


Governance is the oversight role and part and parcel of setting strategic objectives. Risk management evaluates all relevant business risks and controls and monitors mitigation actions in a structured way.

Compliance is the execution of these objectives, based on risk tolerance.

PwC

The Risk Intelligent Solution


Governance and risk management come first; Compliance follows

With such intense focus on compliance, many companies are jumping in head first to solve the most glaring issues, but governance (corporate, IT, or other) and appropriate management of business and operation risk must come first.

John Hagerty AMR Research John Hagerty AMR Research



Risk Map

The Map shows relative size, relationship and current Status of risks

Click on a Risk and hit the Information button to reveal more details

Trend analysis of the last 6 Status reports


• Catalogue critical organizational assets/business processes;

• Identify the potential forms of loss to these assets;

• Identify and rate the threats that could impact those assets;

• Discover vulnerabilities that could allow those threats to occur;

• Identify the cost effective safeguards to reduce and/or eliminate potential threats;

• Determine compliance against business practice standards such as ISO 17799, COBIT, Sarbanes–Oxley, and Bill C6; and

• Utilize reporting engine and simulator to determine best overall Organization Strategy.

Overall Acertus™ Solution Objectives



For further information, contact:

Nigel Brown

e-mail: [email protected]

Phone: (416) 478-8111

Laura Wills

email: [email protected]

Phone: (403) 539-3777

Brian Zerr

email: [email protected]

Phone: (306) 565-4297

security & privacy services presentation subtitle: 20pt arial regular, teal r045 | g182 | b179...

Documents

pt arial regular

white indications

white maximum length

pt arial bold

maximum text length

white ibm logo

master indications

line information