defending the digital frontier
DESCRIPTION
Defending the Digital Frontier. Rudy Giuliani’s Call to Action. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/1.jpg)
Defending the Digital Frontier
![Page 2: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/2.jpg)
2
Rudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
![Page 3: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/3.jpg)
3
Digital Security Breach: The True Cost
Cost$15 to $20 million
or 1% to 1.5% of Sales per Incident
TangibleLosses
IntangibleLosses
• Lost Productivity• IT Support Costs• IT systems/software
• Damage to Brand• Third party liability• Loss of customer/ supplier confidence
The greatest loss as a result of an IT security breach is the intangible impact
![Page 4: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/4.jpg)
4
Security drivers in Today’s complex environment
Industry/Regulatory Groups Standards
Economic D
riversC
ompl
ex T
echn
olog
ies
HIPAAGLBSarbanes OxleyPatriot ActHomeland Security Act
ROIRiskProfits
Homeland SecurityShareholder ValueProductivity
BS7799CBCPCISSP
ISO 17799ITILSANS/GIAC
Security ManagementNetwork ManagementOperational IntegrityManaged Security Services
AuthenticationAuthorizationAdministrationEncryptionFirewall/VPN
BAIDOCDOTFDICFederal ReserveFEIFFIEC
FSISACInfraguardISACAISF
ISSANCUANIST
![Page 5: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/5.jpg)
5
Multiple Drivers Are Bringing Digital Security to the Boardroom
Privacy/Fraud(CA1386, GLB, HIPAA)
Sarbanes-Oxley
Homeland Defense(Homeland Security Act, USA Patriot Act)
Digital
Security
Triple Witching Event
![Page 6: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/6.jpg)
6
• Feature• Productivity• Reliability
• Security• Predictability• Stability
Technical Advances & Increasing Regulation
IT Executives are increasingly focused on controls
ImprovingFunction
ImprovingControl
HIPAA
Sarbanes-Oxley
Homeland Security
![Page 7: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/7.jpg)
7
What is the Digital Frontier?The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
Relianceon IT
High
LowLow HighIT Usage
ProductivityImprovement
Mobile
Internet
Client/Server
1970s 1980s 1990s 2000s
MF
![Page 8: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/8.jpg)
8
Increase Security RisksAs organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
High
LowLow High
1970s 1980s 1990s 2000s
Mobile
Internet
Client/Server
MF
Impact of Failure
Increased Risk
Probability of Failure
![Page 9: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/9.jpg)
9
The Security Frontier
ProductivityImprovement/Increased RiskReliance on IT
Impact of Failure
High
LowLow HighIT Usage
Probability of Failure
1970s 1980s 1990s 2000s
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.
![Page 10: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/10.jpg)
10
The Digital Security GapCaught up in the pursuit of productivity improvements, management apparently overlooked security.
TotalSpending
High
Low
1990’s 2000’sTime
Total Security Spending
Total IT Spending
DigitalSecurity
Gap
![Page 11: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/11.jpg)
11
6 Key Security Characteristics6 Key Security Characteristics
![Page 12: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/12.jpg)
12
1) AlignedBusiness
Objectives
DigitalAssets
ITOrganization
DigitalSecurity
Aligned
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the security team is known as the Security Management Gap.
79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely.
![Page 13: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/13.jpg)
13
2) Enterprise-Wide
Corporate
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
![Page 14: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/14.jpg)
14
3) ContinuousReal-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
Not occasionally. Not periodically.
Continuously.Continuously.
![Page 15: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/15.jpg)
15
4) Proactive
Initial AssessmentOngoing Monitoring
Periodic Assessment
High
RiskIntelligence
LowTime
Proactive
Traditional
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities.
![Page 16: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/16.jpg)
16
5) Validated
Peer
3rd Party
Self
To a Unit
To a Business Objective
To a Standard
Rigor of Validation
Deployed
Validated
Tested
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models.
![Page 17: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/17.jpg)
17
6) Formal
Doc
umen
ted
Minimally HighlyConfirmed
Min
imal
lyH
ighl
y
Documented
Formal
Experienced-
basedSituational
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
![Page 18: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/18.jpg)
18
Technology and Business Objective Drives Requirements
Impact
High
LowLow HighProbability of Failure
Minimum Standards Zone
Security Requirements Zones
InformationKiosk
Managed Risk Zone
Trusted System Zone
Bank ATM Health CareSystem Financial
System
ElectricalPower
eCommerceSystem
PublicWeb Server
EmailServer
![Page 19: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/19.jpg)
19
The Security AgendaThe Security Agenda
![Page 20: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/20.jpg)
20
9 Strategic Areas of “The Security Agenda”
SecurityStrategy
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy
Asset & Service Management
Vulnerability Management
Entitlement Management
Business Continuity
![Page 21: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/21.jpg)
21
Complex Organizational Transformation
TECHNOLOGY
PROCESSPEOP
LEAll 3
Components Needed
![Page 22: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/22.jpg)
22
Intrusion
and Virus
Detection
Database
Router
Firewall
Web
Server
SNMP
Biometrics
Application
Operating
System
Intrusion and Virus Detection
![Page 23: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/23.jpg)
23
Incident
Response
Program
Mobilize AdministerEvent
Lifecycle
Program
Lifecycle
Incident Response
![Page 24: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/24.jpg)
24
Independent VerificationService Provider ComplianceData Registration
Ongoing MonitoringRe-certification
Stakeholder Expectations
Legislation Organization
Remediation Plans Training
Benchmarking/RoadmapsPeoplePolicies
OperationsTechnology
VERIFY
MAINTAIN
IMPROVE
DIAGNOSE
BASELINE
Privacy
![Page 25: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/25.jpg)
25
Policies, Standards
and Guidelines
Policies, Standards, and Guidelines
![Page 26: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/26.jpg)
26
Physical Security
PHYSICALSECURITY
Fences, Walls, GatesGuards, Cameras
Biometrics, Infrared,
Authentication, Surveillance
Biom
etric
s, In
frare
d,
Auth
entic
atio
n, S
urve
illanc
e
Structural
Proc
edur
al Digital
![Page 27: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/27.jpg)
27
TECHNOLOGY
PROCESSPEOP
LECa
ble
and
Circ
uit
Portfolio
Financial
ProcurementContracts
Management and Track AssetsAutomate Processes Manage Asset Financial
Information
Budget AnalysisMana
ge C
onne
ctivi
tyan
d Ca
ble P
lant
Aid Decision-making
Streamline ProcessesManage and Track
Contracts
ASSETMANAGEMENT
Asset & Service Management
![Page 28: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/28.jpg)
28
IT Process
CFO
Team
Expanding control
IT Audit
Team
CIO
Team
Security
Team
Accountability
Deployment
Knowledge
Expanding scope over critical infrastructure
Technology & People
Key
Assets
Team
Security
Systems
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Compliance
Audit Ability
Governance and Accountability
All Critical
Infrastructure
Workflow/Tracking
Feasible Deployment
Know Critical Assets
Serve and
Protect Systems
Configurations
Policies
Alerts
Just
Protect
Systems
Vulnerability Management
![Page 29: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/29.jpg)
29
Entitlement
Management
Identity
Management
Access
ManagementSecure Portals
Data Model
Metadirectory
Authentication Management
Single Sign-On
Access Control
User Management
Policy Management
Entitlement Management
![Page 30: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/30.jpg)
30
DEFINE
ANALYZE
DESIGN
IMPLEMENT
Business
Continuity
Roadmap
Business
Impact
AssessmentThreat
and Risk
Assessment
Recovery
Strategies
Business
Continuity
Plan
Plan
Maintenance
Program
Business Continuity
![Page 31: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/31.jpg)
31
A Scorecard for Evaluation & Action
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Alig
ned
Ente
rpris
e-wid
eCo
ntin
uous
Proa
ctive
Valid
ated
Form
al
High Risk Medium Risk Low Risk
![Page 32: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/32.jpg)
32
Service Management
C E O
Public, Media,Government Relations Security Committee
Planning Architecture Operations Monitoring
Security OfficerAsset ManagementPhysical Security
Continuity Planning
Privacy Officer
Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment
Requests for Proposals (RFP)
Standards & Guidelines Technical
Requirements/Design Technical Security
Architecture Technology Solutions
Incident Response Access Control/ Account
Management Investigations Standards/Solutions
Deployment Training & Awareness Vulnerability Management
Auditing Reporting Systems Monitoring Security Testing
Security Organizational Framework
![Page 33: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/33.jpg)
33
The Roadmap for SuccessThe Roadmap for Success
![Page 34: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/34.jpg)
34
Executive management must understand
Scenario-based simulations – Table-Top Exercises
The organizations responseCritical roles and responsibilitiesActions plans to minimize the effect of an
incidentMonitor and test responses
![Page 35: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/35.jpg)
35
Model and Define RiskEstablish consistent threat categories
Digital Impact/RiskDigital Impact/Risk
Risk toRisk toCustomer SegmentCustomer Segment
Risk to MultipleRisk to MultipleCustomersCustomers
Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies
Core Process orCore Process orSystem ShutdownSystem Shutdown
TacticalTacticalInefficienciesInefficiencies
Dept. of HomelandSecurity Risk
Severe
High
Elevated
Guarded
Low1
2
3
4
5
Green
Blue
Yellow
Orange
Red
HomelandLevel
Category
Level
![Page 36: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/36.jpg)
36
Frequency of Occurrence
High
LowLow High
Impact of Occurrence
Understand Risk Posture Curve
Low,1
Impact LevelGuard
ed,2Elev
ated,3
High,4Severe
,5
Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
You risk posture changes as the environment and technology changes
![Page 37: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/37.jpg)
37
The Fulcrum of Control
Impact of Occurrence
High
LowLow High
Frequency of Occurrence
54
3
1
ImmediateAction
ROIDecision
Fulcrum of C
ontrol
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
2
![Page 38: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/38.jpg)
38
Forces Affecting Risk Every time technology
is changed or deployed the risk posture curve moves
Management must recognize this and deploy security resources accordingly
Impact of Occurrence
High
LowLow High
Frequency of Occurrence
54
3
2
1
New or ChangedTechnology
RiskManagement
![Page 39: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/39.jpg)
39
Manage Risk for a Competitive Advantage
Impact of Occurrence
High
Low
Low HighFrequency of Occurrence
1
2
3
4
5
Company AIndustry
Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
![Page 40: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/40.jpg)
40
6 Characteristicsby Industry
FORMAL
3.48
4.09
3.25
3.603.64
3.88
VALIDATED
3.82
3.483.29
3.84
PROACTIVE2.91
2.88
3.40
3.03
3.00
3.16
CONTINUOUS4.05
3.413.52
3.31
4.13ENTERPRISEWIDE
2.77
3.003.18
3.353.52
3.94
ALIGNED 2.772.95
3.413.59
3.724.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
4.15
3.95
3.75
3.55
3.35
3.15
2.95
2.75
2.55
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
Auto/ManEnergyFinancial ServicesLife SciencesTech/MediaTelecom
![Page 41: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/41.jpg)
41
Security “Orbit of Regard”
CEO
Products/Services
MarketShare
CustomerService
Growth
DigitalSecurity
2000s DigitalSecurity
1990s
DigitalSecurity
1980s
Security is a top executive issue
Today, companies will compete on being able to respond to a digital threat
Top executives must close the digital security gap.
![Page 42: Defending the Digital Frontier](https://reader036.vdocument.in/reader036/viewer/2022070419/56815c36550346895dca1f84/html5/thumbnails/42.jpg)
42
Highly Effective Security Cultures:
are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.