510 likes | 525 Views
Learn how to identify and mitigate security and privacy risks using a risk management approach. This case study explores the causes of risks and the importance of protecting privacy and security. Evaluate your organization's maturity level and discover how to develop a risk management framework.
E N D
Mitigate Risk March 23, 2004, 2pm Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated
Background Information Identifying Risks Relationship between Privacy & Security What Causes Security & Privacy Risks Using a Risk Management Approach Risk and Vulnerability Assessment Protecting Privacy & Security Security & Privacy Management Capabilities Maturity Model Case Study! Things we should go over
1 2 3 4 5 But first, how mature do you think you are? • From 1 to 5, rate yourself: • on policy, process & procedures • on privacy & security • on technology
Identifying Risks What is at Risk? Assets of the organization include Secrets $$ Time, effort People
What else is at Risk? • Public trust in the organization • PR risk • May impede ability of the organization to operate effectively • Operational capabilities of the organization • Can be disrupted by unauthorized system modifications • Can be disrupted by Denial of Service and Distributed Denial of Service attacks
And still more • Your clients • Privacy of clients’ personal information • Legally protected (legislation) • Contractually protected (policy, contract) • What information must be protected? • Accuracy of clients’ personal information • Legal requirements • Operational necessity
Identifying Risks assets privacy? trust? people? operations?
The Relationship between Privacy & Security privacy confidentiality C I A security integrity availability
What Causes Security & Privacy Risks Technical vulnerabilities Fraud Operational issues The bad guys
Technical vulnerabilities • Technical faults • Software bugs, incorrect documentation • Misconfiguration • software, servers, firewalls / security systems, routers • various other network elements • Hardware failure • lack of redundancy • poor maintenance schedule
More technical vulnerabilities • Poor technical architecture • Lack of • appropriate perimeter defenses • intrusion detection systems • adequate access controls • adequate authentication systems • adequate authorization controls
Fraud • Intentional misrepresentation • By clients • By staff • By company executives • External parties misrepresenting the company
Insufficient checks & balances peer review periodic internal review external audit Human error Faulty procedures Undocumented or missing procedures Lack of standardization Operational issues • Do you have: • a security awareness program • a readable security policy • an incident response plan
Lack of a clear policy framework Poor real-time handling of security incidents Lack of privacy awareness among all staff Lack of security awareness among all staff Extreme shortage of security skills among IT staff More operational issues • Do you have: • a business continuity plan • a disaster recovery plan • a backup and recovery system
Bad guys • Amateur hackers • Well-intentioned researchers • Malicious professionals • Financially motivated professionals (your loss, their gain)
What Causes Security & Privacy Risks What high-level approach does your organization use today to address security & privacy issues? • How effective is it?
The Risk Management Approach to Security & Privacy Strategy You can’t eliminate 100% of risks…
The Risk Management Approach to Security & Privacy Strategy … but you can develop a risk management framework which...
A Risk Management Framework • takes a strategic approach • provides a disciplined cost-benefit framework • establishes clear high-level policies to guide tactical decision-making • provides detailed processes & procedures
A Risk Management Framework • specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks • sets technical standards • justifies security & privacy expenditures on both an economic & a legislative basis
The Risk Management Approach: Key Components • Driven by risk analysis • Types of risks X Probabilities of risk X Costs of losses • Types of risk mitigation - impact on probabilities and losses • High-level security & privacy mandate - policies! • Accountability in all risk-related activities • Success factors • Continuous Improvement • Dynamic response to new threats
Continuous Security Framework Okay, this is for the CSO.
Continuous Security Framework f low of c o n t r o l flow of knowledge verification
Continuous Security Framework Metrics & Continuous Improvement
The Risk Management Approach to Security & Privacy Strategy Map out the high-level steps your organization needs to take to use a risk-management approach to privacy and security.
Risk and Vulnerability Assessment Risk vs. Vulnerability Risk is economic & legal Vulnerability is technical & procedural
Quantifying risk Economic Risk ($) = Types of risks Probabilities of risk (%) Costs of losses ($)
Assessing vulnerability • Technical • Attack & Penetration Testing • Network Security Review • Procedural • Privacy Impact Assessment • Policy Audit • Processes & Procedures Audit
Risk and Vulnerability Assessment Estimate the outcomes which would result if your organization were to undergo: • A thorough Attack & Penetration test? • A thorough Network Security Review? • A thorough Privacy Policies Audit? • A thorough Operational Security (Processes & Procedures) Audit?
Protecting Privacy & Security Technology solutions Proceduralsolutions
Technology solutions • Firewalls privacy, integrity, authentication • Encryption privacy • Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.
Technology solutions • Passwords authentication • Risks: reusable passwords, plaintext protocols • Tokens authentication • Certificates authentication • Intrusion Detection Systems / IDS integrity, privacy
Technology solutions • Digital signatures integrity, authentication, non-repudiation • PKI privacy, authentication, integrity, non-repudiation • PMI authorization, privacy, authentication, integrity
Procedural solutions • “Need to know” (principle of least privilege) privacy • Change controls privacy, authentication, integrity, non-repudiation
Procedural solutions • Audit processes increased assurance re. all factors • Technical standardization privacy, authentication, integrity, non-repudiation
Protecting Privacy & Security • What are the primary methods (procedural / technological) used by your organization to: • Protect privacy • Perform authentication • Ensure non-repudiation for online transactions • Maintain data and systems integrity
Security & Privacy Management Capabilities Maturity Model (TM)
Security & Privacy Management Capabilities Maturity Model (TM) • Measuring success using a baseline • Proprietary, standardized • Based on CERT’sSystems Security Engineering Capability Maturity Model • Provides maturity metrics on high-level organizational security and privacy capabilities
1 SPM-CMM(TM) Level 1 • Organization handles Security & Privacy issues informally • Organization does not have documented Security & Privacy policies
2 SPM-CMM(TM) Level 2 • Organization has documented Security & Privacy policies • Organization has assigned resources to plan Security & Privacy initiatives • Effective training programs re. Security & Privacy • Organization has effective processes to verify compliance with Security & Privacy policies
3 SPM-CMM(TM) Level 3 • Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards) • Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements
4 SPM-CMM(TM) Level 4 • Organization has measurable, quantitative Security & Privacy goals • Organization tracks objective performance relative to Security & Privacy goals • Strong individual accountability
5 SPM-CMM(TM) Level 5 • Organization has an effective Continuous Improvement program for Security & Privacy • Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback
1 5 Security & Privacy Management Capabilities Maturity Model (TM) you?
Security & Privacy Management Capabilities Maturity Model (TM) • Important considerations: • What is the impact of moving to the next maturity level? • What changes to technologies, processes, and policy would you need to make?
Long-Distance Health Care / Privacy Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs Cost effective communication required - a private network using internet technologies Maintain privacy - information shared between organizations, across borders Security technology, policy reviews Privacy policies of all organizations amalgamated Most stringent policy had to apply to all to ensure that all policies were met
SPM-CMM(TM) Level 1 Level 2 Results • Policy review for all organizations • Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy • Training to properly handle exchange of information - varying legislative jurisdictions Services • Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training
Where do you rank your organization on the SPM-CMM(TM)? For security? For privacy? Overall?
Thank you!!!! Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated www.integrityincorporated.com/subscribe.aspx