1 / 27

Governance and Risk Management Live

Governance and Risk Management Live. 5 June 2007 Emirates Stadium, London. IBM Security and Privacy Solutions Operational Security Management. James Rendell. Pre-sales and Consulting Manager, IBM Internet Security Systems. Content. The Changing nature of Threats

jenniferi
Download Presentation

Governance and Risk Management Live

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Governance and Risk Management Live 5 June 2007Emirates Stadium, London Template Documentation

  2. IBM Security and Privacy SolutionsOperational Security Management James Rendell Pre-sales and Consulting Manager, IBM Internet Security Systems Template Documentation

  3. Content • The Changing nature of Threats • The implications of regulation on operational management • The operational challenges of Security and best practice solutions

  4. Before and after security failures! Security management is a thoughtful balance between opportunity and exposure.

  5. 62% of all UK businesses had a security incident last year 84% of large UK businesses experienced a premeditated and malicious incident The average cost of a company’s worst incident was £8,000 - £17,000 for small to medium UK companies £65,000 - £130,000 for large UK businesses Large UK businesses most commonly experience 19 security incidents per year Security breaches are failures of governance, and they can be costly Man-in-the-middle phishing scheme targets Amazon.com SC Magazine Jan 3 2007 iPods used to steal company information The Guardian, June 14, 2005 Some estimates suggest as much as 85% of all email is spam SearchSecurityChannel, 3rd Jan 2007 New Trojan Hits Symbian Smartphones Information Week, July 5, 2005 Nationwide fined £980,000 following laptop theft

  6. The state of evolving threats e-crime • Big business driven by profit • Innovation to capture new markets (victims) • Victim segmentation and focus • Stealth is the new “black” • Rate of attacks is accelerating • Form of attack is more malicious • Attacks are “Designer” in Nature

  7. Objectives Security is opportunity Security should be mission-driven Security should align with risk management Security requires collaboration “As much as consumers have adopted and embraced technology, they are also aware that with the advancement and innovation comes the opportunity to abuse the rapid spread of the electronic world. “ -- Stuart McIrvine, Director of IBM Security Strategy

  8. Cross-Industry Value Coalition 5 Industry-Centric Value Web 4 3 Legend Value Chain Visibility 2 Select ‘Trusted Partners’ 1 Isolated Operations Collaboration brings rewards – and risks Trust Cost & complexity of Threats and Administration Collaboration Collaboration

  9. IT Governance & IBM’s Six Essential Global Competencies Understand where, when and by whom value is created • “Security need to be maintained even when [the GIE’s] products and operations are handled by a dozen organisations in as many countries.” • “The Globally Integrated Enterprise”, Sam Palmisano in Foreign Affairs, June 2006 • “Business demands render old security models obsolete… CISOs constantly challenged to align security with business strategy as well as manage risk.” • Mike Rasmussen, Forrester, May 2006 • “Detecting and responding to events in a just-in-time basis is sometimes critical” • “The event-driven world”, IBM Global Technology Outlook, 2006 Compete in a Global Marketplace Manage Value in an OpenNetwork Build a Specialised Enterprise Globally Integrated Enterprise Leverage Global Assets Address Shared Risk and Control Enable Collaboration Take innovative approaches to risk management and IP

  10. Top-down and bottom-up approaches to IT Security Risk “There are two fundamental components of effective management of risk in information and information technology. The first relates to an organisation’s strategic deployment of information technology in order to achieve its corporate goals … and the way risks are assessed and controlled. The second component is the way in which the risks associated with information assets themselves are managed.” – “International IT Governance: An Executive Guide to ISO 17799 / ISO 27001” by Alan Caulder & Steve Watkins SOA Security Model

  11. Process Technology Information People IBM Corporate Security Strategy IT Compliance Management Focus: Auditors Prove compliance with many “fuzzy” regulations Ignite technology and business integration* Focus: Threats Optimise security according to business/risk objectives IT Security Risk Management • Be a business executive first, technologist second • Close the gap between business and IT • Build hybrid skill sets among the IT community • Promote a new governance model • Melds business and IT leadership together Secure Infrastructure Focus: Operations Achieve operational efficiency across domain technologies * IBM Global CEO Survey: what CEOs expect of CIOs

  12. Cultural shift: new value proposition for new type of CIO • “The CIO has clout because he earned it. He is regarded as a peer by the other executives; he understands the bank's businesses and thinks about them in the same way the other executives do; he uses their language; he thinks about initiatives as business options (not technology ones) and assesses them with the appropriate metrics; and he understands the constraints of the businesses and works within them.” • Example of new breed of CIOs in “What IT Leaders Do”, McKinsey Quarterly, August 2005 • “Security is not a technology function; it is a business function.” • Senior Vice President and Chief Information Security Officer • We are at the dawn of a new IBM - a company increasingly intent on integrating its traditionally disparate assets in a way that will deliver true business solutions, not just IT solutions. It is working to achieve this integration througha combination of top-down and bottom-up integration initiatives that involve all its key operating groups. • Ovum, January 2007 Ignite technology and business integration* • Be a business executive first, technologist second • Close the gap between business and IT • Build hybrid skill sets among the IT community • Promote a new governance model • Melds business and IT leadership together * IBM Global CEO Survey: what CEOs expect of CIOs

  13. Process Technology Information People As CIOs become business-focused, they need same tools to manage IT portfolio that CFOs use for financial portfolio Corporate Security Strategy • “80-20 rule applies to IT controls. Small percent of IT controls provide a disproportionately high amount of coverage”. • IT Process Institute “IT Controls Performance Study” of 96 IT groups: • IBM team analysing a leading US financial institution found that of 85 specific risks, three resiliency-related risks (3.5%) accounted for over 90% of firm’s operational risk. • IBM Research IT Performance Management IT Security Risk Management IT Compliance Management KPIs KRIs KCIs Return Risk Compliance IT Governance Controls Secure Infrastructures

  14. C-level execs: five governance questions for board Questions are CIO scenario categories CIO is now business strategy executive CIO Dashboard KPIs KRIs KCIs Return Risk Compliance IT Performance Management IT Risk Management IT Compliance Management 4) “Are we in compliance with policies, limits, laws, and regulations?” [Progress toward external, regulatory-driven, Compliance Benchmark] 1) “Are any of our strategic, business, and financial objectives at risk?” [Progress toward external, market-driven Business Results Benchmark] 2) “What key risk indicators and trends that require immediate attention?” [Progress toward internal Risk Benchmark that optimises results given business & compliance imperatives] 3) “What are the risk assessments that we should review?” [Potential changes to Risk Benchmark reflecting new threats & vulnerabilities, as well as changing external business & regulatory benchmarks] Five questions from: Enterprise Risk Management: From Incentives to Controls by James Lam 5) “What risk incidents have been escalated by our risk functions and business units?”

  15. Process Technology Information People Security tools align into operational domains of critical mass IT Security Risk Management Operational Risk Operational Efficiency Secure Infrastructure TSOM Logical Physical Identity Mgt Mark Martin Employee 3258 TIM TAM Platforms FIM Network Transactions

  16. Implementation methodology Policy Definition Business Objectives Dashboards Risk Mgt Process Definition Monitoring Incident Mgmt Process Mgt Measurement & Analysis Incident Forensics Resiliency Rqmts (KRI catalogue) Controls Mgt Risk Classification Execution of Procedures

  17. Visualising IT Security Risk Visualisation Capabilities Relative Risk Status Policy Navigation Investment in Security and effects Execution Tools ISS Alert Correlation

  18. Balancing operational risk and business flexibility means addressing the security challenge appropriately Governance & Compliance CEO, CFO, CRO, etc. Security Process Management CSO, CIO, Ops mgrs, etc. Secure Infrastructure IT mgrs, Dev mgrs, IT Architects, etc.

  19. The IBM Security Framework provides the foundation for assessing and building an overall security programme IBM Information Security Framework Governance Enterprise Information Management & Privacy Privacy Threat mitigation Transaction and data integrity Identity andaccess management Application security Physical security Personnel security

  20. Successful enterprisewide security requires an integrated approach throughout the full lifecycle… • Understand: • Where the exposures lie • Which security capabilities are needed to meet business requirements • How those capabilities work together to help manage risk • How to reduce risk to acceptable levels • Which activities to focus on first • Where to start and where to end • And build a roadmap that will help enhance the current security programme Monitor Assess Access Defend

  21. Assess Watch Access Defend The strengths of IBM combine to create a robust and flexible set of Security & Privacy offerings • Governance and Risk Assessment Services • Vulnerability Assessment Services • ISS Enterprise Scanner • Tivoli Compliance and Privacy products • ISS Site Protector • Tivoli Security Operations Manager • Tivoli Security Compliance Manager Monitor Assess Access • ISS Proventia Intrusion PreventionFamily • ISS RealSecure Family • Managed Security Services • Tivoli Risk Manager • Server & Storage encryption • Video Surveillance Solutions • Identity and Access Management Svcs • Tivoli Identity and Access Management • Physical Security Services • IBM System OS Access Management • IBM Security Enhanced Linux • IBM Storage Tape Encryption Defend To provide comprehensive security solutions and reduce complexity

  22. Assess Watch Access Defend Example: Payment Card Industry Data Security Standard (PCI DSS) • Quarterly scanning • Annual penetration test • ISS Site Protector • Security Event and Log Management • Consul InSight • Initial PCI pre-assessment • Consulting services to develop remediation for vulnerabilities • Annual on-site audit (level 1 merchant) • Project service to remediate vulnerabilities • ISS Network Intrusion Prevention System (IPS) • ISS Network ADS • ISS Server IPS • Server and Storage Encryption • Project service to remediate vulnerabilities • Security Awareness programme • IBM System OS Access Management • IBM Storage Tape Encryption

  23. Defend Access To keep your business secure, IBM and its partners provide best of breed Security and Privacy solutions Assess Internet Security Systems • A leader in identifying security threats industry-wide (First to discover 51% of high risk vulnerabilities since 1998) • 1996 First commercial Intrusion Detection System (RealSecure) • 2000 First Intrusion Prevention System (Guard) • 2004 First Managed Security Service protection guarantee (Managed Protection Services) • 2005 First behavioral-based Anti-Virus of its kind • Supported by encrypted hardware IBM Tivoli – Identity and Access Management • IBM is the worldwide leader for security services amongst large generalist providers of IT services • Providing strength and stability, brand recognition, and a trusted provider of IT security solutions • Providing implementation and integration using best of breed partners and an “ability to make it work” • 15 of the top 20 commercial bank companies worldwide • 6 top health care companies worldwide • 4 of the top 5 telecommunications companies worldwide • 6 of the top 10 aerospace and defense companies worldwide • 7 of the top 10 computer and data service companies worldwide • Supported by encrypted hardware IBM/Internet Security Systems Management Security Services *Verified August 2004; Sources: Forbes • The combination of IBM and ISS will provide additional value to clients through our deep industry knowledge, world class research capabilities, security process expertise, global scale and industry leading security management technologies. • ISS will benefit further from IBM’s global reach. The combination of IBM’s existing security expertise and reach across its business and ISS’ industry-leading capabilities will prove beneficial for all. Monitor

  24. Q & A Template Documentation

  25. Thank you

  26. Governance and Risk Management Live Template Documentation

More Related