250 likes | 383 Views
Microsoft Belgium Security Summit. Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA. Agenda. Introduction How could you discuss security with the business people in your organisation? What security solutions can help to grow the business?
E N D
Microsoft BelgiumSecurity Summit Georges Ataya Solvay Business School, ISACA Belux Detlef Eckert Microsoft EMEA
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
The Security of Exclusion The Security of Inclusion “Enablement” “Protection” Introduction Source: PricewaterhouseCoopers LLP
Finding the Right Balance Challenge to meet conflicting requirements Cost Functionality Availability Control Security
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
Management responsibility Security Objectives: Source : “IT Security Governance”, the IT Governance Institute (ITGI.org)
Security management activity • Policy Development • Roles and Responsibilities • Design • Implementation • Monitoring • Awareness, Training and Education Source : the International Guidelines for Managing Risk of Information and Communications Statement #1: Managing Security of Information, issued by the International Federation of Accountants
Business enablers • New technology provides the potential for dramatically enhanced business performance, • Information security can add real value to the organization by contributing to: • interaction with trading partners, • closer customer relationships, • improved competitive advantage and • protected reputation. • It can also enable new and easier ways to process electronic transactions and generate trust.
Security Enabled Business Impact to Business Probability of Attack Risk Level ROI Connected Productive • Reduce Security Risk • Assess the environment • Improve isolation & resiliency • Develop and implement controls • Increase Business Value • Connect with customers • Integrate with partners • Empower employees
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
eCommerce • Electronic Contract Signing • Non-Repudiation • Digital Rights Management Mobile Workforce • Remote Access, VPN • Wireless LAN • Protect Laptop • Single-Sign-On Compliance with Regulation • Basel II • Data Protection Regulation • E-Commerce Regulation (eSignature, eProcurment, eInvoice, …) Collaboration & Communication • Confidentiality • Authentication • Availability • Secure Extranet Business Challenges Requiring Security Solutions
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
What about security and Microsoft technology? • How much to trust any technology, any business process and operations? • Need for adequate risk management process • Risk mitigation projects to be championed by management • What is Microsoft’s track record in security and what are its perspectives • Analyze how those could impact own critical business?
“Critical” & “Important” Security Bulletins Quality & Engineering Excellence 36 Number of Bulletins 6 Days after availability
Microsoft will certify all eligible products Stable Protection Profile available Demonstrated customer need Common Criteria Certification • Window Server 2000, Windows 2000 & Windows 2000 Certificate Server • Certified EAL4+ • ISA • Certified EAL2 • Windows Server 2003, Windows XP, ISA 2004 • In evaluation • SQL Server, Exchange • In planning
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Components of Risk Assessment Asset Threat Vulnerability Mitigation What are you trying toassess? What are you afraid of happening? How could the threat occur? What is currently reducing the risk? Impact Probability What is the impact to the business? How likely is the threat giventhe controls? + = Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and affect the asset?
“Economic impact" of a security incident? • Business not a professional exercise • Related to asset identification and valuation • Impact should include various cost elements • Loss of opportunity • Reputation impact • Replacement costs • The value of integrity availability and confidentiality of information
Agenda • Introduction • How could you discuss security with the business people in your organisation? • What security solutions can help to grow the business? • What about security and Microsoft technology? • Risk Assessment: How to calcuate the "economic impact" of a security incident? • Conclusions: Isn’t it all about complexity?
A complexity issue • Continuous complexity of systems, processes and number of involved stakeholders • Stakeholders include business decision makers (BDM) • Alignment is required between TDB and BDN on: • Security requirements driven by enterprise requirements • Security solutions fit for enterprise processes • Investment in information security aligned with the enterprise strategy and agreed-upon risk profile
Resources • General http://www.microsoft.com/security • Consumers http://www.microsoft.com/protect • Security Guidance Center http://www.microsoft.com/security/guidance • Tools http://www.microsoft.com/technet/Security/tools • How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit • E-Learning Clinics https://www.microsoftelearning.com/security • Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx
Security Mobilization Initiative • Security = People, Processes & Technology • http://www.microsoft.com/belux/nl/securitymobilization/default.mspx • Training & Offerings • Security Partners • CTEC’s • Microsoft Events • Tools • Security Guidance Kit
Next Events • TechNet Evening: Application & Data Security • 17, 18, 19 May • Active Directory Security • June 3rd John Craddock • MSDN Evening Chapter • June 3rd SharePoint Development • TechNet Evening: Advanced Client & Server Security • 22, 23, 24 June • http://www.microsoft.com/belux/nl/securitymobilization/events.mspx