does it security matter? dr. luke o’connor group it risk zurich financial services, switzerland...
TRANSCRIPT
Does IT Security Matter?
Dr. Luke O’Connor
Group IT Risk
Zurich Financial Services, Switzerland
Faculty of Information Technology, QUT
November 27th, 2007
2
Outline
• A bit about Zurich and myself
• Nicholas Carr and knowing your neighbours
• Security Tectonics
• The Explanation is Mightier than the Action
• Risk and the New Math
• Final Grains of Wisdom
3
Introduction to Zurich
• Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets
• Servicing capabilities to manage programs with risk exposure in more than 170 countries
• Approximately 58,000 employees worldwide
• Insurer of the majority of Fortune’s Global 100 companies
• Net income attributable to shareholders of USD 4.5 billion in 2006
• Business operating profit of USD 5.9 billion in 2006
4
My Background
Industrial Research (6 yr)What people might want
Consulting (5 yr)What people say they want
In house (2 yr)What people expect
(Security)(Risk)
5
Service ProvidersZurich Business
G-IT Risk stakeholders
GITR
GSM
Investigations
Project risk management
CapabilitiesFinanceGITAG
Process/QMSourcing
AuditCompliance
LegalRisk
Group functions
G-IT support functionsIndustry Bodies & Suppliers
GITR Partner Focus
G-ISP
Consumeinformation and Services
External functions
Business A
Supplier ABusiness B
Business C
Business x
Account Exec A
Account Exec B
Account Exec C
Account Exec x
Supplier B
Supplier x
Co-operate
Service risk management
Primary interface for G-IT
6
Does IT Matter?
• Carr, N, “IT Doesn’t Matter”, Harvard Business Review, Vol 81, 5, May 2003• Carr, N, “Does IT Matter?”, 2004
“IT doesn’t matter and can’t bring strategic advantage at present!“
• Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities
• IT management should become “boring”
• Manage risks and costs
7
Good Neighbours, but Good Friends?
Business
IT Department
IT Security
Business see IT as something technical
IT Departments see IT Security as
something technical
There is a dependency but not a strategic relationship
There is a dependency but not a strategic relationship
8
The Continental Drift of C, I, ACIA better known to business as “Call in Accenture”
Security
Confidentiality Integrity Availability
· SSL· VPN · “SSL VPN“· Database Encryption· Hard Disk Encryption
· Data In Flight· Data at Rest
· Data Retention· Data Leakage· Data Breach· Data Privacy· Cross Border Data Flow
· Hashing & Checksums· Digital Signatures
Authentication· Access Control· Logging
· One person, one ID· Rapid and flexible
provisioning and deprovisioning of rights
· Role Based Access Control
· Anti-Virus· Firewalls· Anti-Spyware· DOS
· ID Management· Financial Process Integrity
· Backup & Restore· RAID, Clustering· Hot Swapping· Incident Response
· Business Continuity· Disaster Recovery
TECHNICAL
CONCEPTUAL
ARCHITECTURAL
PROCESS
BUSINESS
9
The Explanation is Mightier Than the Action
Security Business
10
Security Bingo
11
Notable Security Setbacks
• Regulatory Frameworks over Security Frameworks (SOX over 7799)
• Excel over FUD (Fear, Uncertainty and Doubt)
• Reactive over Proactive
• SLAs over Security Program
• Commerical over Military
12
The New-ish Security ModelFrom Castle to Airport
Castle Airport
Security mechanisms are static and difficult to
change.
Security mechanisms are dynamic and responsive
to threats.
Reliance on a few mechanisms. Castle walls are
impregnable. Once inside security mechanisms are
minimal.
Uses multiple overlapping technologies for defence in depth.
Known community have unrestricted access within
security boundary.
Security must be maintained whilst an unknown
population traverse. Security of inclusion (ensuring
the right people have access to the right resources)
and Security of exclusion (ensuring that assets are
protected). Use of roles to determine security
requirements.
Silo mentality in organisation. Requires an open, co-ordinated, global approach to
security.
13
The next Big Thing: Network Access Control (NAC)How do you sell this to your IT Department or Business?Remote Access DMZ
Quarantine Network
Trusted Network
Firewall Cluster
Firewall Cluster
VPNConcentrator
Trusted VLANs
Access to a restricted set of web applications based on user role
Access to a restricted VLAN based on user role
IDS Sensor
Network AccessControl Server
Platform Configuration Server
QuarantineServer
DMZ Network
AAA Server
IDS Sensor
14
From Security ….
Objectives Controls Testing Report
• ISO 17799• ISF• Cobit• NIST• Your Policies and Standards• etc …
• ISO 17799• ISF• Cobit• NIST• Your Service Catalogue• etc …
• Documentation• Questionnaires• Interviews• Demonstrations• Inspections• Tooling • 3rd Party Analysis
• Control Effectiveness• Compliance• Risk• Mitigation• Priorities
Perceived Desired Reality The Plan
15
… to Risk
Description Trigger Consequence
What could happen? How could it happen? What is the impact?
Probability Severity
How often? How bad?
16
Controls as Risk (as is)
Control C2Needs Improvement
Not Effective
Effective
ControlObjective
Ris
k? Ris
k?
Ris
k?
Control Assessment
Risk Scenarios are reformulations
of control deficiencies (gaps)
Control C4
Control C3
Control C1
e.g. CoBIT,
C2
C3
C4
C1
NO !
ControlGaps are potential triggers of Risk
17
IT Risk – Components
IT Risk Components
IT Projects Risk
• Financial & Resources• Compliance & Audit• Contract & Supplier Mgmt • IT Architecture & Strategy• IT Project Management Risks• Facilities & Environment• IT Operations & Support • Time to Deliver• IT Security
IT Services Risk• Service Level Management• Capacity Planning• Contingency Planning• Availability Management• Cost Management• Configuration Management• Problem Management • Change Management• Help Desk• Software Control & Distribution• IT Security
18
Zurich’s IT Risk Management Framework
Below threshold
Above threshold
The ABC (Assessment of Business Criticality) risk analysis prioritizes resources
Object to be assessed
ABC1
Optimised risk analysisfor projects Project
Project Risk ToolRisk assessment
Within PMO process
2
Risk register providessingle global datastore for analysisreporting Group IT - Risk Register (Central)
4
Project Risk Consulting
Services Risk Consulting
IT Security Risk Assessments
Service
Service Risk ToolFacilitated
Assessmentsand Self-Assessments
3Optimised risk analysisfor services
Group ITRisk Reporting
DashboardActions
monitoringQRR
5 Reporting,Escalation andAction Monitoring
1
2 3
4
5
No further AnalysisApply Policiesand Standards
19
Relation to Operational Risk
IT Project RiskAssessments
IT Service RiskAssessments
opRisk QRA opRisk KRIsopRisk LEDCollection
IT Risk IncidentManagement
opRisk Modeling andQuantificationCommon Risk Repository
opRiskReporting
IT RiskReporting
Com
mon IT
Infr
astr
uct
ure
Other Sources:ICF, TRP, ...
Awareness,Well Informed Decision Making,
Incentives, Performance Measurement
Capital Allocation
opRiskProcess
IT RiskProcess
JointEffort
DataFlow
Input
OtherProcess
20
Conclusion: Does IT Security Matter?
• IT Security in general is not an end in itself
• IT Security is one area competing for attention and funding, amongst many
• If you don’t make IT security matter, it won’t
• Keeping business secure is the main end
• Focus on securing business processes not the process of securing
• Excel is your new best friend
• Make your spreadsheets work with their spreadsheets
• A risk-based approach is the opportunity to speak business language
• Don’t replace FUD with GIGO (garbage in, garbage out)
21
Over to you