1 / 51

Mitigate Risk March 23, 2004, 2pm

Learn how to identify and mitigate security and privacy risks using a risk management approach. This case study explores the causes of risks and the importance of protecting privacy and security. Evaluate your organization's maturity level and discover how to develop a risk management framework.

kandres
Download Presentation

Mitigate Risk March 23, 2004, 2pm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mitigate Risk March 23, 2004, 2pm Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated

  2. Background Information Identifying Risks Relationship between Privacy & Security What Causes Security & Privacy Risks Using a Risk Management Approach Risk and Vulnerability Assessment Protecting Privacy & Security Security & Privacy Management Capabilities Maturity Model Case Study! Things we should go over

  3. 1 2 3 4 5 But first, how mature do you think you are? • From 1 to 5, rate yourself: • on policy, process & procedures • on privacy & security • on technology

  4. Identifying Risks What is at Risk? Assets of the organization include Secrets $$ Time, effort People

  5. What else is at Risk? • Public trust in the organization • PR risk • May impede ability of the organization to operate effectively • Operational capabilities of the organization • Can be disrupted by unauthorized system modifications • Can be disrupted by Denial of Service and Distributed Denial of Service attacks

  6. And still more • Your clients • Privacy of clients’ personal information • Legally protected (legislation) • Contractually protected (policy, contract) • What information must be protected? • Accuracy of clients’ personal information • Legal requirements • Operational necessity

  7. Identifying Risks assets privacy? trust? people? operations?

  8. The Relationship between Privacy & Security privacy confidentiality C I A security integrity availability

  9. What Causes Security & Privacy Risks Technical vulnerabilities Fraud Operational issues The bad guys

  10. Technical vulnerabilities • Technical faults • Software bugs, incorrect documentation • Misconfiguration • software, servers, firewalls / security systems, routers • various other network elements • Hardware failure • lack of redundancy • poor maintenance schedule

  11. More technical vulnerabilities • Poor technical architecture • Lack of • appropriate perimeter defenses • intrusion detection systems • adequate access controls • adequate authentication systems • adequate authorization controls

  12. Fraud • Intentional misrepresentation • By clients • By staff • By company executives • External parties misrepresenting the company

  13. Insufficient checks & balances peer review periodic internal review external audit Human error Faulty procedures Undocumented or missing procedures Lack of standardization Operational issues • Do you have: • a security awareness program • a readable security policy • an incident response plan

  14. Lack of a clear policy framework Poor real-time handling of security incidents Lack of privacy awareness among all staff Lack of security awareness among all staff Extreme shortage of security skills among IT staff More operational issues • Do you have: • a business continuity plan • a disaster recovery plan • a backup and recovery system

  15. Bad guys • Amateur hackers • Well-intentioned researchers • Malicious professionals • Financially motivated professionals (your loss, their gain)

  16. What Causes Security & Privacy Risks What high-level approach does your organization use today to address security & privacy issues? • How effective is it?

  17. The Risk Management Approach to Security & Privacy Strategy You can’t eliminate 100% of risks…

  18. The Risk Management Approach to Security & Privacy Strategy … but you can develop a risk management framework which...

  19. A Risk Management Framework • takes a strategic approach • provides a disciplined cost-benefit framework • establishes clear high-level policies to guide tactical decision-making • provides detailed processes & procedures

  20. A Risk Management Framework • specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks • sets technical standards • justifies security & privacy expenditures on both an economic & a legislative basis

  21. The Risk Management Approach: Key Components • Driven by risk analysis • Types of risks X Probabilities of risk X Costs of losses • Types of risk mitigation - impact on probabilities and losses • High-level security & privacy mandate - policies! • Accountability in all risk-related activities • Success factors • Continuous Improvement • Dynamic response to new threats

  22. Continuous Security Framework Okay, this is for the CSO.

  23. Continuous Security Framework f low of c o n t r o l flow of knowledge verification

  24. Continuous Security Framework Metrics & Continuous Improvement

  25. Continuous Security Framework

  26. The Risk Management Approach to Security & Privacy Strategy Map out the high-level steps your organization needs to take to use a risk-management approach to privacy and security.

  27. Risk and Vulnerability Assessment Risk vs. Vulnerability Risk is economic & legal Vulnerability is technical & procedural

  28. Quantifying risk Economic Risk ($) = Types of risks  Probabilities of risk (%)  Costs of losses ($)

  29. Assessing vulnerability • Technical • Attack & Penetration Testing • Network Security Review • Procedural • Privacy Impact Assessment • Policy Audit • Processes & Procedures Audit

  30. Risk and Vulnerability Assessment Estimate the outcomes which would result if your organization were to undergo: • A thorough Attack & Penetration test? • A thorough Network Security Review? • A thorough Privacy Policies Audit? • A thorough Operational Security (Processes & Procedures) Audit?

  31. Protecting Privacy & Security Technology solutions Proceduralsolutions

  32. Technology solutions • Firewalls privacy, integrity, authentication • Encryption privacy • Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.

  33. Technology solutions • Passwords authentication • Risks: reusable passwords, plaintext protocols • Tokens authentication • Certificates authentication • Intrusion Detection Systems / IDS  integrity, privacy

  34. Technology solutions • Digital signatures integrity, authentication, non-repudiation • PKI privacy, authentication, integrity, non-repudiation • PMI authorization, privacy, authentication, integrity

  35. Procedural solutions • “Need to know” (principle of least privilege)  privacy • Change controls privacy, authentication, integrity, non-repudiation

  36. Procedural solutions • Audit processes increased assurance re. all factors • Technical standardization privacy, authentication, integrity, non-repudiation

  37. Protecting Privacy & Security • What are the primary methods (procedural / technological) used by your organization to: • Protect privacy • Perform authentication • Ensure non-repudiation for online transactions • Maintain data and systems integrity

  38. Security & Privacy Management Capabilities Maturity Model (TM)

  39. Security & Privacy Management Capabilities Maturity Model (TM) • Measuring success using a baseline • Proprietary, standardized • Based on CERT’sSystems Security Engineering Capability Maturity Model • Provides maturity metrics on high-level organizational security and privacy capabilities

  40. 1 SPM-CMM(TM) Level 1 • Organization handles Security & Privacy issues informally • Organization does not have documented Security & Privacy policies

  41. 2 SPM-CMM(TM) Level 2 • Organization has documented Security & Privacy policies • Organization has assigned resources to plan Security & Privacy initiatives • Effective training programs re. Security & Privacy • Organization has effective processes to verify compliance with Security & Privacy policies

  42. 3 SPM-CMM(TM) Level 3 • Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards) • Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements

  43. 4 SPM-CMM(TM) Level 4 • Organization has measurable, quantitative Security & Privacy goals • Organization tracks objective performance relative to Security & Privacy goals • Strong individual accountability

  44. 5 SPM-CMM(TM) Level 5 • Organization has an effective Continuous Improvement program for Security & Privacy • Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback

  45. 1 5 Security & Privacy Management Capabilities Maturity Model (TM) you?

  46. Security & Privacy Management Capabilities Maturity Model (TM) • Important considerations: • What is the impact of moving to the next maturity level? • What changes to technologies, processes, and policy would you need to make?

  47. Long-Distance Health Care / Privacy Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs Cost effective communication required - a private network using internet technologies Maintain privacy - information shared between organizations, across borders Security technology, policy reviews Privacy policies of all organizations amalgamated Most stringent policy had to apply to all to ensure that all policies were met

  48. SPM-CMM(TM) Level 1 Level 2 Results • Policy review for all organizations • Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy • Training to properly handle exchange of information - varying legislative jurisdictions Services • Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training

  49. Where do you rank your organization on the SPM-CMM(TM)? For security? For privacy? Overall?

  50. Thank you!!!! Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated www.integrityincorporated.com/subscribe.aspx

More Related