microsoft belgium security summit georges ataya s olvay b usiness s chool, isaca belux detlef eckert...
TRANSCRIPT
Microsoft BelgiumMicrosoft BelgiumSecurity SummitSecurity Summit
Georges AtayaGeorges AtayaSSolvay olvay BBusiness usiness SSchool, chool, ISACAISACA Belux Belux
Detlef EckertDetlef EckertMicrosoft EMEAMicrosoft EMEA
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology? technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology?technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
IntroductionIntroduction
The Security of Inclusion
“Enablement”The Security of Exclusion
“Protection”Source: PricewaterhouseCoopers LLPSource: PricewaterhouseCoopers LLP
Challenge to meet conflicting requirementsChallenge to meet conflicting requirements
SecuritySecurity
AvailabilityAvailability
ControlControl
FunctionalityFunctionalityCost Cost
Finding the Right BalanceFinding the Right Balance
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology?technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
Management responsibilityManagement responsibility
Security Objectives:Security Objectives:
Source : “IT Security Governance”, the IT Governance Institute (ITGI.org)Source : “IT Security Governance”, the IT Governance Institute (ITGI.org)
““Protecting the interests of those relying on Protecting the interests of those relying on information,information,
BusinesBusinesss
and the systems and communications that deliver and the systems and communications that deliver the information,the information,
AssetsAssets
from harm resulting from failures of availability, from harm resulting from failures of availability, confidentiality and integrity.”confidentiality and integrity.”
risksrisks
Security management activitySecurity management activity
Policy DevelopmentPolicy Development
Roles and ResponsibilitiesRoles and Responsibilities
DesignDesign
ImplementationImplementation
MonitoringMonitoring
Awareness, Training and Awareness, Training and EducationEducation
Source : the International Guidelines for Managing Risk of Information and Communications Source : the International Guidelines for Managing Risk of Information and Communications Statement #1: Managing Security of Information, issued by the International Statement #1: Managing Security of Information, issued by the International Federation of AccountantsFederation of Accountants
Business enablersBusiness enablers
New technology provides the potential for New technology provides the potential for dramatically enhanced business dramatically enhanced business performance, performance,
Information security can add real value to Information security can add real value to the organization by contributing to:the organization by contributing to:
interaction with trading partners, interaction with trading partners,
closer customer relationships, closer customer relationships,
improved competitive advantage and improved competitive advantage and
protected reputation. protected reputation.
It can also enable new and easier ways to It can also enable new and easier ways to process electronic transactions and process electronic transactions and generate trust.generate trust.
Reduce Security RiskReduce Security RiskAssess the environmentAssess the environment
Improve isolation & resiliencyImprove isolation & resiliency
Develop and implement Develop and implement controlscontrols
Increase Business ValueIncrease Business ValueConnect with customers Connect with customers Integrate with partners Integrate with partners Empower employees Empower employees
Risk Risk LevelLevel
Impact toImpact toBusinessBusiness
ProbabilityProbabilityof Attackof Attack
ROIROI
ConnectedConnected
ProductiveProductive
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology?technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
Business Challenges Requiring Security SolutionsBusiness Challenges Requiring Security Solutions
eCommerceeCommerceeCommerceeCommerce Electronic Contract SigningElectronic Contract Signing Non-RepudiationNon-Repudiation Digital Rights ManagementDigital Rights Management
Electronic Contract SigningElectronic Contract Signing Non-RepudiationNon-Repudiation Digital Rights ManagementDigital Rights Management
Compliance with Compliance with RegulationRegulation
Compliance with Compliance with RegulationRegulation
Basel IIBasel II Data Protection RegulationData Protection Regulation E-Commerce Regulation (eSignature,E-Commerce Regulation (eSignature,
eProcurment, eInvoice, …) eProcurment, eInvoice, …)
Basel IIBasel II Data Protection RegulationData Protection Regulation E-Commerce Regulation (eSignature,E-Commerce Regulation (eSignature,
eProcurment, eInvoice, …) eProcurment, eInvoice, …)
Collaboration & Collaboration & CommunicationCommunicationCollaboration & Collaboration & CommunicationCommunication
ConfidentialityConfidentiality AuthenticationAuthentication AvailabilityAvailability Secure ExtranetSecure Extranet
ConfidentialityConfidentiality AuthenticationAuthentication AvailabilityAvailability Secure ExtranetSecure Extranet
Mobile WorkforceMobile WorkforceMobile WorkforceMobile Workforce
Remote Access, VPNRemote Access, VPN Wireless LANWireless LAN Protect LaptopProtect Laptop Single-Sign-OnSingle-Sign-On
Remote Access, VPNRemote Access, VPN Wireless LANWireless LAN Protect LaptopProtect Laptop Single-Sign-OnSingle-Sign-On
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology?technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
What about security and What about security and Microsoft technology?Microsoft technology?
How much to trust any technology, any How much to trust any technology, any business process and operations?business process and operations?
Need for adequate risk management Need for adequate risk management processprocess
Risk mitigation projects to be championed Risk mitigation projects to be championed by managementby management
What is Microsoft’s track record in security What is Microsoft’s track record in security and what are its perspectivesand what are its perspectives
Analyze how those could impact own Analyze how those could impact own critical business?critical business?
Common Criteria CertificationCommon Criteria CertificationMicrosoft will certify all Microsoft will certify all eligible productseligible products
Stable Protection Profile Stable Protection Profile availableavailable
Demonstrated customer Demonstrated customer needneed
Window Server 2000, Windows 2000 & Window Server 2000, Windows 2000 & Windows 2000 Certificate ServerWindows 2000 Certificate Server
Certified EAL4+Certified EAL4+
ISAISACertified EAL2Certified EAL2
Windows Server 2003, Windows XP, ISA Windows Server 2003, Windows XP, ISA 20042004
In evaluationIn evaluation
SQL Server, ExchangeSQL Server, ExchangeIn planningIn planning
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology?technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
Components of Components of Risk AssessmentRisk Assessment
Asset Threat
Impact
Vulnerability Mitigation
Probability
++
==
What are you trying toassess?
What are you afraid of
happening?
What is the impact to the
business?
How could the threat occur?
What is currently
reducing the risk?
How likely is the threat giventhe controls?
Current Level of Risk
What is the probability that the threat will overcome controls to successfully exploit the
vulnerability and affect the asset?
Operating Principles
Mission and Vision
Risk Based Decision Risk Based Decision ModelModel
Tactical Prioritization
““Economic impact" of a Economic impact" of a security incident?security incident?
Business not a professional exercise Business not a professional exercise
Related to asset identification and Related to asset identification and valuationvaluation
Impact should include various cost Impact should include various cost elementselements
Loss of opportunityLoss of opportunity
Reputation impactReputation impact
Replacement costsReplacement costs
The value of integrity availability and The value of integrity availability and confidentiality of information confidentiality of information
AgendaAgenda
IntroductionIntroduction
How could you discuss security with How could you discuss security with the business people in your the business people in your organisation? organisation?
What security solutions can help to What security solutions can help to grow the business? grow the business?
What about security and Microsoft What about security and Microsoft technology?technology?
Risk Assessment: How to calcuate Risk Assessment: How to calcuate the "economic impact" of a security the "economic impact" of a security incident? incident?
Conclusions: Isn’t it all about Conclusions: Isn’t it all about complexity?complexity?
A complexity issueA complexity issue
Continuous complexity of systems, Continuous complexity of systems, processes and number of involved processes and number of involved stakeholdersstakeholders
Stakeholders include business decision Stakeholders include business decision makers (BDM)makers (BDM)
Alignment is required between TDB and Alignment is required between TDB and BDN on:BDN on:
Security requirements driven by enterprise Security requirements driven by enterprise requirementsrequirements
Security solutions fit for enterprise processesSecurity solutions fit for enterprise processes
Investment in information security aligned with the Investment in information security aligned with the enterprise strategy and agreed-upon risk profileenterprise strategy and agreed-upon risk profile
ResourcesResourcesGeneralGeneralhttp://www.microsoft.com/securityhttp://www.microsoft.com/security
ConsumersConsumershttp://www.microsoft.com/protecthttp://www.microsoft.com/protect
Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ToolsToolshttp://www.microsoft.com/http://www.microsoft.com/technettechnet/Security/tools/Security/tools
How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit
E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security
Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
Security Mobilization InitiativeSecurity Mobilization Initiative
Security = People, Processes & Security = People, Processes & TechnologyTechnologyhttp://www.microsoft.com/belux/nl/securitymobilization/default.http://www.microsoft.com/belux/nl/securitymobilization/default.mspxmspx
Training & OfferingsTraining & Offerings
Security PartnersSecurity Partners
CTEC’sCTEC’s
Microsoft EventsMicrosoft Events
ToolsTools
Security Guidance KitSecurity Guidance Kit
Next EventsNext Events
TechNet Evening: Application & Data TechNet Evening: Application & Data SecuritySecurity
17, 18, 19 May17, 18, 19 May
Active Directory SecurityActive Directory SecurityJune 3June 3rdrd John Craddock John Craddock
MSDN Evening ChapterMSDN Evening ChapterJune 3June 3rdrd SharePoint Development SharePoint Development
TechNet Evening: Advanced Client & TechNet Evening: Advanced Client & Server SecurityServer Security
22, 23, 24 June22, 23, 24 Junehttp://www.microsoft.com/belux/nl/securitymobilization/events.http://www.microsoft.com/belux/nl/securitymobilization/events.mspxmspx