defending the digital frontier
DESCRIPTION
Defending the Digital Frontier. Rudy Giuliani’s Call to Action. - PowerPoint PPT PresentationTRANSCRIPT
Defending the Digital FrontierDefending the Digital Frontier
2
Rudy Giuliani’s Call to ActionRudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
3
Digital Security Breach: The True CostDigital Security Breach: The True Cost
Cost$15 to $20 million
or 1% to 1.5% of Sales per Incident
Cost$15 to $20 million
or 1% to 1.5% of Sales per Incident
TangibleLosses
TangibleLosses
IntangibleLosses
IntangibleLosses
• Lost Productivity• IT Support Costs• IT systems/software
• Lost Productivity• IT Support Costs• IT systems/software
• Damage to Brand• Third party liability• Loss of customer/ supplier confidence
• Damage to Brand• Third party liability• Loss of customer/ supplier confidence
The greatest loss as a result of an IT security breach is the intangible impact
The greatest loss as a result of an IT security breach is the intangible impact
4
Security drivers in Today’s complex environmentSecurity drivers in Today’s complex environment
Industry/Regulatory Groups Industry/Regulatory Groups Standards Standards
Eco
no
mic D
riversC
om
ple
x T
ech
no
log
ies
HIPAA
GLB
Sarbanes Oxley
Patriot Act
Homeland Security Act
HIPAA
GLB
Sarbanes Oxley
Patriot Act
Homeland Security Act
ROI
Risk
Profits
ROI
Risk
Profits
Homeland Security
Shareholder Value
Productivity
Homeland Security
Shareholder Value
Productivity
BS7799
CBCP
CISSP
BS7799
CBCP
CISSP
ISO 17799
ITIL
SANS/GIAC
ISO 17799
ITIL
SANS/GIAC
Security Management
Network Management
Operational Integrity
Managed Security Services
Security Management
Network Management
Operational Integrity
Managed Security Services
Authentication
Authorization
Administration
Encryption
Firewall/VPN
Authentication
Authorization
Administration
Encryption
Firewall/VPN
BAI
DOC
DOT
FDIC
Federal Reserve
FEI
FFIEC
BAI
DOC
DOT
FDIC
Federal Reserve
FEI
FFIEC
FSISAC
Infraguard
ISACA
ISF
FSISAC
Infraguard
ISACA
ISF
ISSA
NCUA
NIST
ISSA
NCUA
NIST
5
Multiple Drivers Are Bringing Digital Security to the BoardroomMultiple Drivers Are Bringing Digital Security to the Boardroom
Privacy/Fraud(CA1386, GLB, HIPAA)
Sarbanes-Oxley
Homeland Defense(Homeland Security Act, USA Patriot Act)
Digital
SecurityDigital
Security
Triple Witching Event
6
• Feature• Productivity• Reliability
• Security• Predictability• Stability
Technical Advances & Increasing Regulation
IT Executives are increasingly focused on controlsIT Executives are increasingly focused on controls
ImprovingFunction
ImprovingFunction
ImprovingControl
ImprovingControl
HIPAA
Sarbanes-Oxley
Homeland Security
7
What is the Digital Frontier?What is the Digital Frontier?The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
Relianceon IT
Relianceon IT
HighHigh
LowLowLowLow HighHighIT UsageIT Usage
ProductivityImprovementProductivityImprovement
MobileMobile
InternetInternet
Client/ServerClient/Server
1970s1970s 1980s1980s 1990s1990s 2000s2000s
MFMF
8
Increase Security RisksIncrease Security RisksAs organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
HighHigh
LowLowLowLow HighHigh
1970s1970s 1980s1980s 1990s1990s 2000s2000s
MobileMobile
InternetInternet
Client/ServerClient/Server
MFMF
Impact of Failure
Impact of Failure
Increased Risk
Increased Risk
Probability of Failure
Probability of Failure
9
The Security FrontierThe Security Frontier
ProductivityImprovement/Increased Risk
ProductivityImprovement/Increased RiskReliance on IT
Impact of FailureReliance on IT
Impact of Failure
HighHigh
LowLowLowLow HighHighIT Usage
Probability of FailureIT Usage
Probability of Failure
1970s1970s 1980s1980s 1990s1990s 2000s2000s
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.
10
The Digital Security GapThe Digital Security GapCaught up in the pursuit of productivity improvements, management apparently overlooked security.Caught up in the pursuit of productivity improvements, management apparently overlooked security.
TotalSpending
TotalSpending
HighHigh
LowLow
1990’s1990’s 2000’s2000’sTimeTime
Total Security SpendingTotal Security Spending
Total IT Spending
Total IT Spending
DigitalSecurity
Gap
11
6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics
12
1) Aligned1) Aligned
BusinessObjectivesBusiness
Objectives
DigitalAssetsDigitalAssets
ITOrganization
ITOrganization
DigitalSecurityDigital
Security
Aligned
Aligned
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the security team is known as the Security Management Gap.
The distance between the top levels of management and the security team is known as the Security Management Gap.
79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely.
13
2) Enterprise-Wide2) Enterprise-Wide
CorporateCorporate
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
14
3) Continuous3) Continuous
Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
Not occasionally. Not periodically.
Continuously.Continuously.
Not occasionally. Not periodically.
Continuously.Continuously.
15
4) Proactive4) Proactive
Initial AssessmentInitial AssessmentOngoing MonitoringOngoing Monitoring
Periodic AssessmentPeriodic Assessment
HighHigh
RiskIntelligence
RiskIntelligence
LowLow
TimeTime
ProactiveProactive
TraditionalTraditional
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities.
16
5) Validated5) Validated
PeerPeer
3rd Party3rd Party
SelfSelf
To a UnitTo a Unit
To a Business Objective
To a Business Objective
To a Standard
To a Standard
Rigor of ValidationRigor of Validation
DeployedDeployed
ValidatedValidated
TestedTested
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models.
17
6) Formal6) Formal
Doc
umen
ted
Doc
umen
ted
MinimallyMinimally HighlyHighlyConfirmedConfirmed
Min
imal
lyM
inim
ally
Hig
hly
Hig
hly
Documented
Documented
Formal
Experienced-
based
Experienced-
basedSitu
ational
Situatio
nal
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
18
Technology and Business Objective Drives RequirementsTechnology and Business Objective Drives Requirements
ImpactImpact
HighHigh
LowLow
LowLow HighHighProbability of FailureProbability of Failure
Minimum Standards Zone
Security Requirements ZonesSecurity Requirements Zones
InformationKiosk
Managed Risk ZoneManaged Risk Zone
Trusted System ZoneTrusted System Zone
Bank ATMBank ATM Health CareSystem
Health CareSystem Financial
SystemFinancialSystem
ElectricalPower
ElectricalPower
eCommerceSystem
eCommerceSystem
PublicWeb Server
PublicWeb Server
EmailServerEmailServer
19
The Security AgendaThe Security AgendaThe Security AgendaThe Security Agenda
20
9 Strategic Areas of “The Security Agenda”9 Strategic Areas of “The Security Agenda”
SecurityStrategySecurityStrategy
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy
Asset & Service Management
Vulnerability Management
Entitlement Management
Asset & Service Management
Vulnerability Management
Entitlement Management
Business ContinuityBusiness Continuity
21
Complex Organizational TransformationComplex Organizational Transformation
TECHNOLOGYTECHNOLOGY
PROCESS
PROCESSPE
OPL
EPE
OPL
EAll 3
Components Needed
All 3 Components
Needed
22
Intrusion
and Virus
Detection
Intrusion
and Virus
Detection
DatabaseDatabase
RouterRouter
FirewallFirewall
Web
Server
Web
Server
SNMPSNMP
BiometricsBiometrics
ApplicationApplication
Operating
System
Operating
System
Intrusion and Virus DetectionIntrusion and Virus Detection
23
Incident
Response
Program
Incident
Response
Program
Mobilize AdministerEvent
Lifecycle
Event
Lifecycle
Program
Lifecycle
Program
Lifecycle
Incident ResponseIncident Response
24
Independent VerificationService Provider ComplianceData Registration
Independent VerificationService Provider ComplianceData Registration
Ongoing Monitoring
Re-certification
Ongoing Monitoring
Re-certification
Stakeholder Expectations
Legislation Organization
Stakeholder Expectations
Legislation Organization
Remediation Plans Training
Remediation Plans Training
Benchmarking/Roadmaps
People
Policies
Operations
Technology
Benchmarking/Roadmaps
People
Policies
Operations
Technology
VERIFYVERIFY
MAINTAINMAINTAIN
IMPROVEIMPROVE
DIAGNOSEDIAGNOSE
BASELINEBASELINE
PrivacyPrivacy
25
Policies, Standards
and Guidelines
Policies, Standards
and Guidelines
Policies, Standards, and GuidelinesPolicies, Standards, and Guidelines
26
Physical SecurityPhysical Security
PHYSICALSECURITY
Fences, Walls, GatesGuards, Cameras
Biom
etrics, Infrared,
Authentication, Surveillance
Bio
met
rics
, Inf
rare
d,
Aut
hent
icat
ion,
Sur
veill
ance
Structural
Pro
cedu
ral
Digital
27
TECHNOLOGYTECHNOLOGY
PROCESS
PROCESSPE
OPL
EPE
OPL
EC
able
an
d C
ircu
it
Portfolio
Fin
ancial
ProcurementContracts
Management and Track Assets
Automate Processes
Management and Track Assets
Automate Processes Manage Asset Financial
Information
Budget AnalysisM
anage Asset Financial
Information
Budget AnalysisMan
age
Conn
ectiv
ityan
d Ca
ble
Plan
t
Man
age
Conn
ectiv
ityan
d Ca
ble
Plan
t
Aid Decision-making
Streamline Processes
Aid Decision-making
Streamline Processes
Manage and Track
Contracts
Manage and Track
Contracts
ASSETMANAGEMENT
ASSETMANAGEMENT
Asset & Service ManagementAsset & Service Management
28
IT ProcessIT Process
CFO
Team
CFO
Team
Expanding controlExpanding control
IT Audit
Team
IT Audit
Team
CIO
Team
CIO
Team
Security
Team
Security
Team
AccountabilityAccountability
DeploymentDeployment
KnowledgeKnowledge
Expanding scope over critical infrastructureExpanding scope over critical infrastructure
Technology & PeopleTechnology & People
Key
Assets
Team
Key
Assets
Team
Security
Systems
Team
Security
Systems
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Compliance
Audit Ability
Governance and Accountability
Compliance
Audit Ability
Governance and Accountability
All Critical
Infrastructure
All Critical
Infrastructure
Workflow/Tracking
Feasible Deployment
Know Critical Assets
Workflow/Tracking
Feasible Deployment
Know Critical Assets
Serve and
Protect Systems
Serve and
Protect Systems
Configurations
Policies
Alerts
Configurations
Policies
Alerts
Just
Protect
Systems
Just
Protect
Systems
Vulnerability ManagementVulnerability Management
29
Entitlement
Management
Entitlement
Management
Identity
Management
Identity
Management
Access
Management
Access
ManagementSecure Portals
Data Model
Metadirectory
Authentication Management
Secure Portals
Data Model
Metadirectory
Authentication Management
Single Sign-On
Access Control
User Management
Policy Management
Single Sign-On
Access Control
User Management
Policy Management
Entitlement ManagementEntitlement Management
30
DEFINE
DEFINE
AN
ALYZE
AN
ALYZE
DESIGN
DESIGN
IMPLEM
ENT
IMPLEM
ENT
Business
Continuity
Roadmap
Business
Continuity
Roadmap
Business
Impact
Assessment
Business
Impact
AssessmentThreat
and Risk
Assessment
Threat
and Risk
Assessment
Recovery
Strategies
Recovery
Strategies
Business
Continuity
Plan
Business
Continuity
Plan
Plan
Maintenance
Program
Plan
Maintenance
Program
Business ContinuityBusiness Continuity
31
A Scorecard for Evaluation & ActionA Scorecard for Evaluation & Action
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Alig
ned
Alig
ned
Ent
erpr
ise-
wid
e
Ent
erpr
ise-
wid
eC
ontin
uous
Con
tinuo
usP
roac
tive
Pro
activ
e
Val
idat
ed
Val
idat
ed
Form
al
Form
al
High RiskHigh Risk Medium RiskMedium Risk Low RiskLow Risk
32
Service ManagementService Management
C E OC E O
Public, Media,Government Relations
Public, Media,Government Relations Security CommitteeSecurity Committee
PlanningPlanning ArchitectureArchitecture OperationsOperations MonitoringMonitoring
Security OfficerSecurity OfficerAsset ManagementAsset ManagementPhysical SecurityPhysical Security
Continuity PlanningContinuity Planning
Privacy OfficerPrivacy Officer
Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment
Requests for Proposals (RFP)
Standards & Guidelines Technical
Requirements/Design Technical Security
Architecture Technology Solutions
Incident Response Access Control/ Account
Management Investigations Standards/Solutions
Deployment Training & Awareness Vulnerability Management
Auditing Reporting Systems Monitoring Security Testing
Security Organizational FrameworkSecurity Organizational Framework
33
The Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for Success
34
Executive management must understand Executive management must understand
Scenario-based simulations – Table-Top Exercises
The organizations response
Critical roles and responsibilities
Actions plans to minimize the effect of an incident
Monitor and test responses
Scenario-based simulations – Table-Top Exercises
The organizations response
Critical roles and responsibilities
Actions plans to minimize the effect of an incident
Monitor and test responses
35
Model and Define RiskEstablish consistent threat categories
Model and Define RiskEstablish consistent threat categories
Digital Impact/RiskDigital Impact/RiskDigital Impact/RiskDigital Impact/Risk
Risk toRisk toCustomer SegmentCustomer Segment
Risk toRisk toCustomer SegmentCustomer Segment
Risk to MultipleRisk to MultipleCustomersCustomers
Risk to MultipleRisk to MultipleCustomersCustomers
Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies
Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies
Core Process orCore Process orSystem ShutdownSystem ShutdownCore Process orCore Process or
System ShutdownSystem Shutdown
TacticalTacticalInefficienciesInefficiencies
TacticalTacticalInefficienciesInefficiencies
Dept. of HomelandSecurity Risk
Dept. of HomelandSecurity Risk
SevereSevere
HighHigh
Elevated
GuardedGuarded
LowLow11
22
3
44
55
GreenGreen
BlueBlue
Yellow
OrangeOrange
RedRed
Homeland
LevelHomeland
LevelCategory
LevelCategory
Level
36
Frequency of OccurrenceFrequency of Occurrence
HighHigh
LowLowLowLow HighHigh
Impact of OccurrenceImpact of Occurrence
Understand Risk Posture CurveUnderstand Risk Posture Curve
Low,1
Low,1
Impact Level
Impact Level
Guarded
,2
Guarded
,2Eleva
ted,3
Eleva
ted,3
High,4
High,4
Sever
e,5
Sever
e,5
Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
You risk posture changes as the environment and technology changes
Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
You risk posture changes as the environment and technology changes
37
The Fulcrum of ControlThe Fulcrum of Control
Impact of Occurrence
Impact of Occurrence
HighHigh
LowLowLowLow HighHigh
Frequency of OccurrenceFrequency of Occurrence
55
44
33
11
ImmediateAction
ImmediateAction
ROIDecisionROI
Decision
Fulcru
m o
f Contro
l
Fulcru
m o
f Contro
l
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
22
38
Forces Affecting RiskForces Affecting Risk
Every time technology is changed or deployed the risk posture curve moves
Management must recognize this and deploy security resources accordingly
Every time technology is changed or deployed the risk posture curve moves
Management must recognize this and deploy security resources accordingly
Impact of Occurrence
Impact of Occurrence
HighHigh
LowLowLowLow HighHigh
Frequency of OccurrenceFrequency of Occurrence
55
44
33
22
11
New or ChangedTechnologyNew or ChangedTechnology
RiskManagementRiskManagement
39
Manage Risk for a Competitive AdvantageManage Risk for a Competitive Advantage
Impact of Occurrence
Impact of Occurrence
HighHigh
LowLow
LowLow HighHighFrequency of OccurrenceFrequency of Occurrence
11
22
33
44
55
Company A
Company AIndustry
Industry
Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
40
6 Characteristicsby Industry6 Characteristicsby Industry
FORMAL
3.48
4.09
3.25
3.603.64
3.88
VALIDATED
3.82
3.48
3.29
3.84
PROACTIVE2.91
2.88
3.40
3.03
3.00
3.16
CONTINUOUS
4.05
3.413.52
3.31
4.13ENTERPRISEWIDE
2.77
3.00
3.18
3.35
3.52
3.94
ALIGNED 2.77
2.95
3.41
3.593.72
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
4.15
3.95
3.75
3.55
3.35
3.15
2.95
2.75
2.55
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
2.55
2.75
2.95
3.15
3.35
3.55
3.75
3.95
4.15
Auto/Man
Energy
Financial Services
Life Sciences
Tech/Media
Telecom
41
Security “Orbit of Regard”Security “Orbit of Regard”
CEOCEO
Products/Services
Products/Services
MarketShare
MarketShare
CustomerService
CustomerService
GrowthGrowth
DigitalSecurity
2000s
DigitalSecurity
2000s DigitalSecurity
1990s
DigitalSecurity
1990s
DigitalSecurity
1980s
DigitalSecurity
1980s
Security is a top executive issue
Today, companies will compete on being able to respond to a digital threat
Top executives must close the digital security gap.
Security is a top executive issue
Today, companies will compete on being able to respond to a digital threat
Top executives must close the digital security gap.
42
Highly Effective Security Cultures:Highly Effective Security Cultures:
are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.
The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.
43
For More Information…For More Information…
Sajay Rai
CEO and Managing Partner,
Securely Yours LLC
248-723-5224
Sajay Rai
CEO and Managing Partner,
Securely Yours LLC
248-723-5224