1 / 28

Introduction

Introduction. Welcome! Format of day Response to previous requests from clients Amendment to schedule. MWR InfoSecurity The Business Case for Information Security 12 March 2009 Alex Fidgen Ian Shaw. What will we achieve?. Help you gain organisational commitment and justify required spend

glenda
Download Presentation

Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction • Welcome! • Format of day • Response to previous requests from clients • Amendment to schedule Using Information Security for Business Advantage

  2. MWR InfoSecurity The Business Case for Information Security12 March 2009Alex Fidgen Ian Shaw

  3. What will we achieve? • Help you gain organisational commitment and justify required spend • Introduction • Part 1 - Visualisation techniques • Part 2 - Communication techniques • Part 3 - Supporting frameworks Using Information Security for Business Advantage

  4. Introduction • Communicating security risk can be very hard in environments without structured metrics • The classic chicken and egg scenario • We did not want to concentrate on the • is there/isn’t there argument for ROI.

  5. Problems • Senior Management and Board directors need to increase shareholder value • Mature metrics makes it easy to communicateshareholder value based risk • Associating technical risks with revenue is impossible without a business context • Information security managers with IT backgrounds find it hard to communicate risk at a business level • The business seldom understands the value of its information assets

  6. Communication! • This is a communication issue!

  7. Part 1 – Protecting Traditional Assets (Opening the Board’s Eyes to Information Security Spend – Is information security spending in line with traditional asset protection?) Using Information Security for Business Advantage

  8. Questions your Board may be asking • Why do we need to worry about this information security issue? • Why is Malware Protection so expensive? • Are these costs of doing business online justified? • I don’t understand whether this expenditure is justified • The following examples have been developed to demonstrate how security is integrated seamlessly into existing business models • Try to ignore any immediate reaction to industry sector! Using Information Security for Business Advantage

  9. Typical Retail Organisation (Asset Protection) Human Resources Vetting / References Internal Audit Disciplinary Procedure External Audit Credit Control Finance Secure Cash Handling Accounting Policies / Standards Financial Reconciliations Security Guards Warehouse / Distribution Store Detectives Stock Control Counterfeit Detection Safes / Alarms Shops Product Integrity* RFID Cardwatch CCTV Local Crime Schemes Using Information Security for Business Advantage * For example: tamper evident jars

  10. Typical Retail Organisation (Asset Protection) Human Resources Vetting / References Internal Audit Disciplinary Procedure External Audit Credit Control Finance Secure Cash Handling Accounting Policies / Standards Financial Reconciliations Security Guards Warehouse / Distribution Store Detectives Stock Control Counterfeit Detection Safes / Alarms Shops Product Integrity* RFID Cardwatch CCTV Local Crime Schemes Using Information Security for Business Advantage * For example: tamper evident jars

  11. Typical E-Retail (Information Asset Protection) Business Interfaces Vetting / References Information Security Policies Disciplinary Procedure Build Standards InfoSec Awareness Training IT/IS/ Development Threat Modelling Anti-Virus Security in SDLC Patch Management Data Storage Application Testing Vulnerability Assessment Penetration Testing Configuration Reviews Ecommerce Site Access Control Reviews Encryption Firewalls Legislative Compliance Monitoring / Intrusion Detection Using Information Security for Business Advantage Using Information Security for Business Advantage

  12. In Summary • Information asset protection still lags behind traditional asset protection • Opening the organisation’s eyes to traditional security measures can ‘set the scene’ to introduce information security • A simple visualisation technique helps soften attitudes to information security spend Using Information Security for Business Advantage

  13. Part 2 – A model for information asset identification and classification Using Information Security for Business Advantage

  14. Part 2 - Communication of risk • High level abstract link… • How best to communicate the risk from this point forward • Need to highlight risks that may impact shareholder value • Must be flexible and expose risks not currently perceived • One technique is threat modelling…plenty of others however Using Information Security for Business Advantage

  15. Risk – A quick reminder Threats Vulnerability An event that could have a detrimental effect on an asset A conduit that could be exploited by a threat Asset An item of value Risks The effect on a business of a risk being realised BUSINESS IMPACT

  16. What is threat modelling • Threat Modelling: • Grades Threats • Allows identification of vulnerabilities • Enhances the final calculation of risk • Very powerful and business focussed Using Information Security for Business Advantage

  17. What it can provide: • Defence in depth • Effective controls with efficient expenditure • Asset protection is proportional to the business value • Greater measurable returns on security investment Using Information Security for Business Advantage

  18. Case Study – Insurance Company • In excess of 600 systems • Business run in a federated sense • There is/was no centralised security management function, • Some security testing in the past against core systems • No set budget for security • Some basic security training, around physical security and access control Using Information Security for Business Advantage

  19. How the model was formed.. • identified the systems and the assets, • a high level risk assessment based on the business risk and potential business impact • Assignation of a commercial revenue value to each system Using Information Security for Business Advantage

  20. How the model was formed.. cont • All revenue streams documented • the most important systems quickly became evident, • Allowed focus on the most financially important assets • Intangible assets were also assessed (reputation, client satisfaction, employee • happiness etc.).

  21. What did this do? • This made an actual and tangible link to the management team connecting the • value of the information assets (within systems) with the value of assigned • security spend to identify and manage the risk • It open their eyes to the asset value, and made justification of budget almost • self fulfilling

  22. Part 3 – Effecting Change(Operational Information Security) Using Information Security for Business Advantage

  23. Where are we? Information Assets Threats Vulnerabilities Risks Current Position + = = Existing Controls Using Information Security for Business Advantage

  24. What is the appetite for risk? Current Position Where we want to be STAGE 1 Organisational Changes - = Using Information Security for Business Advantage

  25. Stage 1 – Organisational Change • What is required for successful organisational change • Change Plan – how will we know when we arrive? • Resources – do we have the resources to achieve the change? • Sponsorship – do we have executives backing for change? • Support (Culture) – important if exec sponsorship is broken? Using Information Security for Business Advantage

  26. Stage 2 - Operation • Measure performance (results not activities) • Make changes as necessary • Periodically review performance • Review measures Using Information Security for Business Advantage

  27. Summary Using Information Security for Business Advantage

  28. Questions? Using Information Security for Business Advantage

More Related