430 likes | 606 Views
ABA WEBCAST BRIEFING. Foundations of Information Security. Presented by: Peter S. Browne Principal Manager Peter Browne & Associates, LLC. Projected B2B eCommerce Growth. 2004 Predictions. Gartner 7.3 Trillion. Forrester 6.3 Trillion. Goldman 3.2 Trillion. emarketer 2.8 Trillion.
E N D
ABA WEBCAST BRIEFING Foundations of Information Security Presented by: Peter S. Browne Principal Manager Peter Browne & Associates, LLC
Projected B2B eCommerce Growth 2004 Predictions Gartner7.3 Trillion Forrester6.3 Trillion Goldman3.2 Trillion emarketer2.8 Trillion Ovum1.4 Trillion
Internet Users Worldwide Source: IDC
Risk Management In Perspective - Drivers • New Technologies • Web presence • Online transactions • Delivery of professional services via the Internet • New Risks • Cyber-extortion • Network security breaches • Litigation • Loss of “intangible” information • Dependence on third party service providers
The Problem • 85% of Companies report at least one Computer Security Breaches last year • 90% report Vandalism attacks • 78% report Denial of Service attacks • 64% Acknowledged financial losses due to these attacks • Average loss: $2,000,000 • Melissa = $80 million total • Denial of Service (Mafia Boy) = $1.2 billion • Love Bug - $10 billion Statistical data provided by CSI/FBI 2001 report
The Computer Attack Risks • Loss or damage to Data • Legal Liability to Others • Loss or damage to Reputation • Loss of Market capitalization and resulting Shareholder lawsuits
Foundations • Managing risk includes the following components: • Accept • Mitigate • Transfer a portion of the risk to an insurance underwriter
Traditional Commerce Centralized systems in glass house Economy of scale Managed risk Security says NO Electronic Commerce Distributed systems everywhere Economy of dispersion Distributed risk Security is an enabler Electronic Commerce: A Paradigm Shift
Business Drivers for Security • The effect of the Internet on banking and financial services • Movement from information “silos” to information integration • Holistic view of risk management • Increasing global regulatory oversight • Effect of GLBA • Increasingly proactive regulatory agencies and audits • More pervasive and complex technologies
The Four Foundations of Protection • People • Board and management commitment, dedicated technical personnel, crisis management team all in place and active! • Process • Enterprise ISO7799 ready, on-going management, employee education and regular training, patch management. • Technology • Monitoring/log review, DMZ zones, firewall, anti-virus software, intrusion detection systems, remote access two factor authentication, audit trails.
The Overriding Objective Security should be at the table whenever the technology or the business strategy changes, whether the technology is managed in-house or it is outsourced to third parties
People Success Factors • Set up the right organization
Organizational Placement of IT Security • Report separately from IT (Audit, Security, Legal, Finance) • Report directly to CIO/Head of Technology • Report into CTO/Operations • Part time function • Split function
Roles and Responsibilities • Set policy/standards/guidance • Act as internal consultant • Perform system/security operations • Provide oversight over outsourced/third party technology providers • Conduct/manage assessments and audits
Ownership • What to centralize: • Policy, standards, guidance • Test and validation of security • Cross-enterprise coordination • System-wide administration • What to decentralize: • Accountability • Risk acceptance • User access administration
People Success Factors • Set up the right organization • Get good people and train them adequately
Security Must Add Value • Facilitate, don’t obfuscate • Be a perpetual student • Provide solutions to business needs • Communicate, communicate, communicate • Be an agent of change • Focus on operational excellence • Treat risk as part of the business equation • Clearly articulate what is expected
What Is the Scope? • Make security enterprise-wide… and coordinated with all business units • Focus early in the product/software life cycle • Enlist allies: • Business units • Legal • Operations • Risk management • Earn your budget!
Preach Security Awareness • Educated management • Understand risk • To the enterprise • To the given business • To the individual • Application of security standards • In the software development life cycle • In the management of platforms
People Success Factors • Set up the right organization • Get the good people and train them adequately • Get management commitment
Probability of Occurrence 0 Value of Fraud Articulate Risk in Business Terms • Value of the asset • Probability of a loss • Likely cost over time
Control Analogy: ATM versus Internet ATM Yes Yes Yes Yes Yes Yes Yes Yes Yes Internet No No No Maybe Maybe No No Maybe Maybe Known and limited number of customer entry points Two-factor authentication required (card plus PIN) Camera recording all activity Limited amount of cash available for withdrawal Full audit trail of all activity Physical limits to bulk fraud Customer cannot stop an initiated transaction Settlement and problem resolution processes in place Customer has receipt to verify transaction
Management Involvement • Top-level steering committee • Task force • Advisory board • Reporting key performance indicators • Reporting incidents • Compliance checking
Process Success Factors • Put policy and standards in place
Ensure compliance with standards Implement guidelines on systems Translate standards into security guidelines Develop and document "baseline" security standard Update policies Assess current security state Security Life Cycle Steps
Policy Standards Guidelines Procedures Practice Top-level Policy • Broad statement of intent • Sets the expectations for compliance • Must acknowledge individual accountability • Culture-dependent • Must cover appropriate use • Must be enforced
Standards Policy Guidelines Procedures Practice Standards • Describe what to do, not how to do it • Explain the application of policy • Cover all elements of information security • Use existing models (I4 & ISF) • Provide the cornerstone for compliance
Guidelines • Tell how to meet standards • Are platform- or technology-specific • Provide examples and configuration recommendations • Must be kept up to date Policy Guidelines Standards Procedures Practice
Process Success Factors • Put policy and standards in place • Build a robust program
Desired State of Security • Desired state of security: The level of security controls needs to correspond to the value/sensitivity of the underlying information asset: “risk-based” • Security must: • Be incorporated into the development process • Be part of the overall architecture • Be part of the project management and implementation process • Be part of system administrators’ and network planners’ job function • Keep current with technologies because they evolve rapidly. What worked yesterday may not be valuable today (digital certificates, application proxy firewalls, biometrics, IDS)
Process Success Factors • Put policy and standards in place • Build a robust program • Track metrics for accountability
Technology Success Factors • Protect the perimeter
Perimeter Control • Firewall technology in place to protect • Concept of a DMZ • Intrusion Detection • Network based • Host based • Standardized system configuration
Hosts(systemof record) Middleware Call Center AOL Web Servers Tandem Internet Third Party ATM Nets Kiosks Vendors VRU Middleware Home Phone PFM Network PFM Bank Systems Vendors
Technology Success Factors • Protect the perimeter • Provide consistent security services
Consistent Security Services • Remote access authentication and authorization • Remote dial in access • Internet access • Business to business links • System management • Lockdown of access • File protection • Security patches
Technology Success Factors • Protect the perimeter • Provide consistent security services • Capture audit data
Audit Trails • What to capture • All access to systems • All intrusion attempts • Financial transactions • Access to sensitive data • Uses • Digital forensics • Monitoring of security • Improving performance
Information Security as the Foundation for Electronic Commerce • The people are the critical components, but they must be supported by management and trained • The process starts with the policy, and concludes with implementation • The technology must be put in place to manage and enforce security • Management commitment is not difficult… if • Metrics: If you can’t measure it, you can’t control it • Information security bridges the business and the technology
The Future In the future, there’ll be just two kinds of banks —the ones on the Internet and the ones who never saw it coming.