430 likes | 542 Views
Defending the Digital Frontier. Rudy Giuliani’s Call to Action.
E N D
Rudy Giuliani’s Call to Action The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
Digital Security Breach:The True Cost Cost $15 to $20 million or 1% to 1.5% of Sales per Incident Tangible Losses Intangible Losses • Lost Productivity • IT Support Costs • IT systems/software • Damage to Brand • Third party liability • Loss of customer/ supplier confidence The greatest loss as a result of an IT security breach is the intangible impact
Security drivers in Today’s complex environment Homeland Security Shareholder Value Productivity ROI Risk Profits HIPAA GLB Sarbanes Oxley Patriot Act Homeland Security Act Economic Drivers BS7799 CBCP CISSP Industry/Regulatory Groups Standards FSISAC Infraguard ISACA ISF ISSA NCUA NIST BAI DOC DOT FDIC Federal Reserve FEI FFIEC ISO 17799 ITIL SANS/GIAC Authentication Authorization Administration Encryption Firewall/VPN Complex Technologies Security Management Network Management Operational Integrity Managed Security Services
Multiple Drivers Are Bringing Digital Security to the Boardroom Triple Witching Event Homeland Defense (Homeland Security Act, USA Patriot Act) Privacy/Fraud (CA1386, GLB, HIPAA) Digital Security Sarbanes-Oxley
IT Executives are increasingly focused on controls HIPAA Sarbanes-Oxley Homeland Security ImprovingFunction ImprovingControl • Feature • Productivity • Reliability • Security • Predictability • Stability Technical Advances & Increasing Regulation
What is the Digital Frontier? The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements. High ProductivityImprovement Mobile Relianceon IT Internet Client/Server MF Low 1970s 1980s 1990s 2000s Low IT Usage High
Increase Security Risks As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures. High Mobile Increased Risk Impact of Failure Internet Client/Server MF Low 1970s 1980s 1990s 2000s Probability of Failure Low High
The Security Frontier The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier. High ProductivityImprovement/Increased Risk Reliance on ITImpact of Failure Low 1970s 1980s 1990s 2000s Low IT UsageProbability of Failure High
The Digital Security Gap Caught up in the pursuit of productivity improvements, management apparently overlooked security. High Total IT Spending DigitalSecurityGap TotalSpending Low Total Security Spending 1990’s Time 2000’s
BusinessObjectives 1) Aligned The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives. DigitalAssets The distance between the top levels of management and the security team is known as theSecurity Management Gap. Aligned ITOrganization 79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely. DigitalSecurity
2) Enterprise-Wide A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization. Corporate 86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
3) Continuous Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities. Not occasionally. Not periodically. Continuously. 46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
4) Proactive Periodic Assessment The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally. Ongoing Monitoring Initial Assessment High Proactive RiskIntelligence Traditional Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities. Low Time
5) Validated Achieving highly effective digital security requires third-party validation of critical security components and business objectives. 3rd Party Validated Peer Tested Self 66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models. Deployed To a Unit To a Standard To a Business Objective Rigor of Validation
6) Formal Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. Documented Formal Highly Documented Situational Experienced-based Minimally 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place. Minimally Highly Confirmed
Technology and Business Objective Drives Requirements Security Requirements Zones High Trusted System Zone Bank ATM Health CareSystem FinancialSystem Managed Risk Zone ElectricalPower Impact EmailServer PublicWeb Server Minimum Standards Zone eCommerceSystem InformationKiosk Low Low Probability of Failure High
9 Strategic Areas of “The Security Agenda” Policies, Standards, & Guidelines Intrusion & Virus Detection Incident Response Physical Security Privacy Asset & Service Management Vulnerability Management Entitlement Management SecurityStrategy Business Continuity
Complex Organizational Transformation PEOPLE PROCESS All 3 Components Needed TECHNOLOGY
Intrusion and Virus Detection OperatingSystem Database Application Intrusionand Virus Detection Biometrics Router SNMP Firewall WebServer
Incident Response Incident Response Program EventLifecycle ProgramLifecycle Mobilize Administer
Privacy Stakeholder Expectations Legislation Organization Ongoing Monitoring Re-certification MAINTAIN BASELINE Benchmarking/Roadmaps People Policies Operations Technology Independent VerificationService Provider ComplianceData Registration DIAGNOSE VERIFY IMPROVE Remediation Plans Training
Policies, Standards, and Guidelines Policies, Standardsand Guidelines
Physical Security Procedural Digital Biometrics, Infrared,Authentication, Surveillance Biometrics, Infrared,Authentication, Surveillance PHYSICALSECURITY Fences, Walls, GatesGuards, Cameras Structural
Asset & Service Management Portfolio Management and Track Assets Automate Processes PEOPLE PROCESS Financial Manage Asset FinancialInformation Budget Analysis Cable and Circuit Manage Connectivityand Cable Plant ASSETMANAGEMENT Aid Decision-making Streamline Processes Manage and TrackContracts Procurement Contracts TECHNOLOGY
Vulnerability Management Accountability Compliance Audit AbilityGovernance and Accountability All CriticalInfrastructure KeyAssetsTeam CFOTeam Deployment Workflow/TrackingFeasible DeploymentKnow Critical Assets Serve andProtect Systems KeyAssetsTeam IT AuditTeam Knowledge KeyAssetsTeam CIOTeam ConfigurationsPoliciesAlerts JustProtectSystems KeyAssetsTeam SecuritySystemsTeam SecurityTeam Expanding control Expanding scope over critical infrastructure IT Process Technology & People
Entitlement Management AccessManagement IdentityManagement EntitlementManagement Secure Portals Data Model Metadirectory Authentication Management Single Sign-On Access Control User Management Policy Management
Business Continuity DEFINE BusinessContinuityRoadmap BusinessImpactAssessment ANALYZE Threatand RiskAssessment RecoveryStrategies BusinessContinuityPlan PlanMaintenanceProgram IMPLEMENT DESIGN
A Scorecard for Evaluation & Action Enterprise-wide Continuous Proactive Validated Aligned Formal Policies, Standards, & Guidelines Intrusion & Virus Detection Incident Response Physical Security Privacy Asset & Service Management Vulnerability Management Entitlement Management Business Continuity High Risk Medium Risk Low Risk
Security Organizational Framework C E O Public, Media,Government Relations Security Committee Privacy Officer Asset Management Physical Security Security Officer Continuity Planning Service Management Planning Architecture Operations Monitoring • Business Requirements • Education • Formal Communications • Governance • Policies • Project Management • Risk Assessment • Requests for Proposals (RFP) • Standards & Guidelines • Technical Requirements/Design • Technical Security Architecture • Technology Solutions • Incident Response • Access Control/ Account Management • Investigations • Standards/Solutions Deployment • Training & Awareness • Vulnerability Management • Auditing • Reporting • Systems Monitoring • Security Testing
Executive management must understand • Scenario-based simulations – Table-Top Exercises • The organizations response • Critical roles and responsibilities • Actions plans to minimize the effect of an incident • Monitor and test responses
Model and Define RiskEstablish consistent threat categories CategoryLevel Dept. of HomelandSecurity Risk Digital Impact/Risk HomelandLevel Risk toCustomer Segment 5 Severe Red Risk to MultipleCustomers 4 High Orange Chronic or Seriesof Inefficiencies 3 Elevated Yellow Core Process orSystem Shutdown 2 Guarded Blue TacticalInefficiencies 1 Low Green
Understand Risk Posture Curve • Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization • You risk posture changes as the environment and technology changes High Severe,5 High,4 Impact Level Impact of Occurrence Elevated,3 Guarded,2 Low,1 Low Low High Frequency of Occurrence
The Fulcrum of Control • The ability to control & contain digital security incidents is the key to success • Management must determine this tipping point or fulcrum and use it to drive their focus High ImmediateAction Fulcrum of Control 5 4 Impact of Occurrence 3 ROIDecision 2 1 Low Low High Frequency of Occurrence
Every time technology is changed or deployed the risk posture curve moves Management must recognize this and deploy security resources accordingly Forces Affecting Risk High 5 4 Impact of Occurrence New or ChangedTechnology 3 2 1 RiskManagement Low Low High Frequency of Occurrence
Manage Risk for a Competitive Advantage High • Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success 5 4 Impact of Occurrence 3 Company A 2 Industry 1 Low Low Frequency of Occurrence High
ENTERPRISEWIDE 4.13 4.15 4.15 4.05 3.94 3.95 3.95 CONTINUOUS 3.75 3.75 3.52 3.52 3.55 3.55 4.15 3.41 3.35 3.35 3.35 3.31 3.72 3.18 3.16 3.59 3.15 3.15 3.00 3.41 2.95 2.95 2.77 2.95 2.75 2.75 ALIGNED 2.77 2.55 2.55 4.15 3.95 3.75 3.55 3.35 3.15 2.95 2.75 2.55 2.55 2.75 2.95 3.15 3.35 3.55 3.75 3.95 4.15 PROACTIVE 2.88 2.55 2.55 2.91 2.75 2.75 3.00 2.95 2.95 3.15 3.15 3.25 3.03 3.29 Auto/Man Energy Financial Services Life Sciences Tech/Media Telecom 3.35 3.35 3.48 3.48 3.40 3.60 3.55 3.55 3.64 3.82 3.75 3.75 3.88 3.84 3.95 3.95 4.09 4.15 4.15 FORMAL VALIDATED 6 Characteristicsby Industry
Security “Orbit of Regard” • Security is a top executive issue • Today, companies will compete on being able to respond to a digital threat • Top executives must close the digital security gap. CustomerService MarketShare Products/Services CEO Growth DigitalSecurity1980s DigitalSecurity2000s DigitalSecurity1990s
Highly Effective Security Cultures: • are chief executive-driven • maintain a heightened sense of awareness • utilize a digital security guidance council • establish timetables for success and monitor progress • drive an enterprise-wide approach The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.
For More Information… Sajay Rai CEO and Managing Partner, Securely Yours LLC 248-723-5224 Sajayrai@securelyyoursllc.com