security architecture rajagiri talk march 2011
DESCRIPTION
TRANSCRIPT
![Page 1: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/1.jpg)
Security Architecture
Prof. K SubramanianSM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA)SM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA)
Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOUHonorary IT Adviser to CAG of IndiaEx-DDG(NIC), Ministry of Comm. & IT
Emeritus President, eInformation Systems, Security, Audit Association(eISSA)President, Cyber Society of India(Cysi)
![Page 2: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/2.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 2
Global issues with governance ofcyberspace
• Information Technology & Business: current status and future• Does IT matter? IT--enabled Business - Role of Information, Information Systems - In business - Role of information technology in enabling business - IT dependence• Changing Role of the CIO• Web 2.0 and 3.0 and governing cyberspace• eBusiness, eHealth, eBanking, eGovernance• Current Challenges and Issues
2
![Page 3: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/3.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 3
Cyberspace is Dynamic, Undefined and Exponential
Countries’ need dynamic laws, keeping pace with the technological advancements
In a Virtual Space, Netizens Exist, Citizens Don’t!
Trust in E-environments Lack of a mature IT
society Absence of Single
governing body Legislation High skill inventory Reduce fear of being
caught Disgruntled Employees
3
![Page 4: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/4.jpg)
09/27/10 4 4
![Page 5: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/5.jpg)
09/27/10 5 5Prof ks@2010 Software architecture series
![Page 6: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/6.jpg)
Fiver tier Architecture for Cyber Space
Data Architecture: an overall plan for the data items (and their relationships) necessary to deliver e-government.
Process Architecture: a plan of the key activities that e-government will support and undertake.
Technology Architecture: how computers will be sized and connected for e-government, and an outline of the software to be used.
Data Management Architecture: how data input, processing, storage and output functions will be divided across the information
technology architecture. Management Architecture:
the policies, standards, human resource systems, management structures, financial systems, etc. necessary to support e-government.
To create a building, you need a sound underlying architecture for that building, based on an architect's plan. The same is true for Security.
![Page 7: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/7.jpg)
Emerging Technologies -Competitive Environments&
Integration Catering through ICE
Technologies
1. IT
2. BT
3. CT
4. ET
5. NT
6. ST
1. Operational Integration
2. Professional Integration (HR)
3. Emotional/Cultural Integration
ICE is the sole integrator & IT/Cyber Governance is Important
Selection of Technologies
•Affordable•Acceptable•Sustainable•Reliable
![Page 8: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/8.jpg)
Creating Trust in an Enterprise• Today's information explosion is creating challenges
for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world.
• What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company.
8
![Page 9: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/9.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 9
![Page 10: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/10.jpg)
10
Transition: Insurance Assurance &
Assurance Layered Framework• Insurance• Audit
Pre, Concurrent, Post• IT Audit– Environmental– Operational– Technology– Network– Financial– Management– Impact
• Electronics Continuous Audit• Certification• Assurance
• Management & Operational Assurance
(Risk & ROI)• Technical Assurance
(Availability, Serviceability & Maintainability)
Financial ASSURANCE• Revenue Assurance (Leakage & Fraud)• Legal Compliance & Assurance
(Governance)
![Page 11: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/11.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 11
Transition: Insurance Assurance &
Assurance Layered Framework• Insurance• Audit
Pre, Concurrent, Post• IT Audit– Environmental– Operational– Technology– Network– Financial– Management– Impact
• Electronics Continuous Audit• Certification• Assurance
• Management & Operational Assurance
(Risk & ROI)• Technical Assurance
(Availability, Serviceability & Maintainability)
• Revenue Assurance (Leakage & Fraud)• Legal Compliance &
Assurance (Governance)
![Page 12: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/12.jpg)
Why Assurance?Competitive Threats & Way Forward
Internal Competition from Liberalization
World Competition from Globalization
Entrenched Competition Abroad
Asymmetry in Scale, Technology, Brands
Industry Shakeouts and Restructuring
Learn more about own Businesses.
Reach out to all Business & Function Heads.
Sharpen Internal Consultancy Competences.
Proactively Seize the Repertoire of MS & Partners
Foster two way flow of IS & Line Talent.
![Page 13: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/13.jpg)
13
Key Areas of AssuranceKey Areas of Assurance
• OrganizationalOrganizational
- Systems in place to identify & mitigate differing risk perceptions of - Systems in place to identify & mitigate differing risk perceptions of
stakeholders to meet business needs stakeholders to meet business needs
• Supplier Supplier
- Confidence that controls of third party suppliers adequate & - Confidence that controls of third party suppliers adequate & meets meets
organization’s benchmarksorganization’s benchmarks
• Business Partners Business Partners
- Confirmation that security arrangements with partners assess & - Confirmation that security arrangements with partners assess & mitigate mitigate
business riskbusiness risk
• Services & IT Systems Services & IT Systems
- Capability of developers, suppliers of IT services & systems to - Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s implement effective systems to manage risks to the organization’s businessbusiness
![Page 14: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/14.jpg)
14
What and Why of Business What and Why of Business AssuranceAssurance
• Manufacturing: Developing & implementing policies & Manufacturing: Developing & implementing policies & procedures to procedures to ensure operations are ensure operations are efficient, consistent, effective & efficient, consistent, effective & compliant with compliant with lawlaw
• ServicesServices : Process that establishes uninterrupted : Process that establishes uninterrupted delivery of delivery of services to customer and services to customer and protects interest & protects interest & information information
• ProjectProject : Confirmation that business case viable and actual : Confirmation that business case viable and actual costs and time lines in line with plan costs and time lines in line with plan
costs & schedulescosts & schedules
• ObjectiveObjective : Delivers significant commercial value to the : Delivers significant commercial value to the business while fully business while fully
compliant with regulatory compliant with regulatory requirementsrequirements
: To avoid Enron type scandals and comply with : To avoid Enron type scandals and comply with Sarbanes Oxley in US and Clause 49 in India Sarbanes Oxley in US and Clause 49 in India
![Page 15: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/15.jpg)
15
Assurance StakeholdersAssurance Stakeholders
Stakeholders
for business
assurance
Board of Directors
Management
Staff/Employees
Organisation
Customers
Public
Suppliers
Enforcement
& regulatory
authorities
Owner
Creditors
Shareholders
Insurers
Business partners
![Page 16: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/16.jpg)
16
Benefits of Assurance Benefits of Assurance
• Contributes to effectiveness & efficiency of business operationsContributes to effectiveness & efficiency of business operations
• Ensures reliability & continuity of information systemsEnsures reliability & continuity of information systems
• Assists in compliance with laws & regulationsAssists in compliance with laws & regulations
• Assures that organizational risk exposure mitigatedAssures that organizational risk exposure mitigated
• Confirms that internal information accurate & reliableConfirms that internal information accurate & reliable
• Increases investor and lenders confidenceIncreases investor and lenders confidence
![Page 17: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/17.jpg)
1717
Business - technical G
ove
rnm
en
t
reg
ula
tory
Go
vern
me
nt
deve
lopm
ent
al
Bu
siness –
fina
ncial
Civil society
-
informational
Civil society - technical
ICT operations and maintenance
ICT planning and design
Investment in R & D
Marketing and distribution Project management
and construction Training
Borrowing capacity
Capital investment, eg network expansion
ICT technical solutions
Revenue collection
ICT Risk/venture capital
Sales and promotions
Subsidies
Access to development finance
ICT Regulatory powers – price, quality, interconnections, competition)
ICT Transaction/ concession design
Investment promotion
Legal framework for freedom of information
ICT Infrastructure strategy
ICT skills development
Innovation (high risk), eg community telecentres
Local customer knowledge
Capacity to network
A voice for the socially excluded
Expertise in design of ‘relevant’ content
Knowledge of user demand, eg
technology and information gaps
Capacity to mobilise civil society
Human Capacity ICT technicians in govt, business
and civil societyICT user-awareness and skills
Support for Entrepreneurs
Infrastructure Suitable primary architecture
Suitable secondary technology Acceptable cost/risks of
deploymentUniversal access (rural/urban)Adequate subscriber density
EnterpriseAccess to finance and credit
Supportive property rights and commercial lawDevelopment of ICT suppliers and service SMEs
Stimulation of demand, eg govt ‘leads by example’ through procurement
Policy and RegulationsInvestment promotion and
ownership rulesFair tax regimes for business
and society Transparent policy making
Effective regulatory frameworks (price, quality, interconnection,
competition)Adequate institutional capacity
Content and ApplicationsRelevant to development goals
and user needs, eg voice, e-mail, nat/global connectivity Content compatible with
education, cultural sensitivities and language
Affordable access (equipment, connection and content)
Human Capacity
Infrastructure
Enterprise Content & Applications
Policy and Regulation
strategic compact / partnerships
Civil so
ciety
-
info
rma
tiona
l
Design Parameters
![Page 18: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/18.jpg)
1818
Operational IntegrationProfessional Integration (HR)Emotional/Cultural IntegrationICT & Government Business & Services IntegrationMulti Technology coexistence and seamless integrationInformation AssuranceQuality, Currency, Customization/Personalization
ICE is the sole integrator IT Governance is Important
![Page 19: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/19.jpg)
Managing InterdependenciesCritical Issues
• Infrastructure characteristics (Organizational, operational, temporal, spatial)
• Environment (economic, legal /regulatory, technical, social/political)
• Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)
• Type of failure (common cause, cascading, escalating)
• Types of interdependencies
(Physical, cyber, logical, geographic)
• State of operations
(normal, stressed /disrupted, repair/restoration)
.19
![Page 20: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/20.jpg)
20
Towards Information Assurance
• Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity.
• That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms“
--Jane Scott-Norris, CISO at the U.S. State Department
![Page 21: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/21.jpg)
21
Up The Value Chain
![Page 22: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/22.jpg)
Enabling to rapidly move up the Governance Evolution Staircase
Strategy/PolicyPeopleProcessTechnology
3. TransactionCompetitionConfidentiality/privacyFee for transactionE-authentication
Self-servicesSkill set changes
Portfolio mgmt.Sourcing Inc. business staff
BPRRelationship mgmt.Online interfacesChannel mgmt.
Legacy sys. linksSecurityInformation access24x7 infrastructureSourcing
Funding stream allocationsAgency identity“Big Browser”
Job structuresRelocation/telecommuting
OrganizationPerformance accountability Multiple-programs skills
Privacy reduces
Integrated servicesChange value chain
New processes/servicesChange relationships(G2G, G2B, G2C, G2E)
New applicationsNew data structures
Time
2. InteractionSearchable
DatabasePublic response/ email
Content mgmt.Increased
support staffGovernance
Knowledge mgmt.E-mail best prac.Content mgmt.MetadataData synch.
Search engineE-mail
1. Presence
Publish
Existing
Streamlineprocesses
Web siteMarkup
Trigger
4. Transformation
Cost/Complexity
Define policy and outsource execution
Retain monitoring and control
Outsource service delivery staff
Outsource process execution staff
Outsource customer facing processes
Outsource backend processes
ApplicationsInfrastructure
Value
5. Outsourcing
Constituent
Evolve PPP model
![Page 23: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/23.jpg)
Why information security Governance is important• With security incidents and data breaches having
a huge impact on corporations, security governance or oversight by the board and executive management, has assumed importance.
• Security governance refers to the strategic direction given by the board and executive management for managing information security risks to achieve corporate objectives by reducing losses and liabilities arising from security incidents
![Page 24: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/24.jpg)
Threat & Vulnerability Management
• Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure
• Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards
• Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication
• Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration
• You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.
• You need to protect both your own information assets and those you are custodian of, such as sensitive customer data.
• You want a real-time, integrated snapshot of your security posture.
• You want to correlate events from data emerging from multiple security touch points.
• You need support from a comprehensive inventory of known threat exposures.
• You need to reduce the cost of ownership of your threat and vulnerability management system
24
![Page 25: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/25.jpg)
Risk Identification• Assess current security capabilities, including threat management, vulnerability
management, compliance management, reporting and intelligence analysis. • Define c • Identify technology requirements for bridging security gaps • Integrated Security Information Management • Develop processes to evaluate and prioritize security intelligence information received from
external sources, allowing organizations to minimize risks before an attack • Implement processes that support the ongoing maintenance, evolution and administration of
security standards and policies • Determine asset attributes, such as direct and indirect associations, sensitivity and asset
criticality, to help organizations allocate resources strategically • Assist in aggregating security data from multiple sources in a central repository or
"dashboard" for user-friendly presentation to managers and auditors • Help design and implement a comprehensive security reporting system that provides a
periodic, holistic view of all IT risk and compliance systems and outputs
• Assist in developing governance programs to enforce policies and accountability
25
![Page 26: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/26.jpg)
26
9 Rules of Risk Management• There is no return without risk
– Rewards to go to those who take risks.• Be Transparent
– Risk is measured, and managed by people, not mathematical models.
• Know what you Don’t know– Question the assumptions you make
• Communicate– Risk should be discussed openly
• Diversify– Multiple risk will produce more consistent
rewards• Sow Discipline
– A consistent and rigorous approach will beat a constantly changing strategy
• Use common sense– It is better to be approximately right, than to
be precisely wrong.• Return is only half the question
– Decisions to be made only by considering the risk and return of the possibilities .
RiskMetrics Group
![Page 27: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/27.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 27
The Insider – Who are They?
• Who is an insider?– Those who work for the target organization or those having relationships with the firm with
some level of access– Employees, contractors, business partners, customers etc.
• CSI/FBI Survey key findings (2007)– average annual losses $350,424 in the past year, up sharply from the $168,000 reported
previous year– Insider attacks have now surpassed viruses as the most common cause of security incidents in
the enterprise– 63 percent of respondents said that losses due to insider-related events accounted for 20
percent of their losses – (prevalence of insider criminals may be overblown by vendors of insider threat tools!)
![Page 28: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/28.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 28
Solutions Based on Study Recommendations
• Prevention by – Pre-hire screening of employees– Training and education
• Early detection and treat the symptoms– Attack precursors exist, some non-cyber events
• Establish good audit procedures• Disable access at appropriate times• Develop Best practices for the prevention and detection
– Separation of duties and least privilege– Strict password and account management policies
![Page 29: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/29.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 29
General Solution Steps• Collect data – notion of insider threat • Formulate a model
– Threat modeling technique – graph, empirical• Determine which phase
– Prevention/Detection/Mitigation• Determine application domain
– Commercial/Military• Pick solution methodology
– Signature/Rule based, anomaly based– Pick the right machine learning algorithms
• Data acquisition for evaluation and benchmark• Take a small bite – good threat modeling is already a significance advance!
![Page 30: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/30.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 30
Insider Threat Modeling
• Privilege escalation by impersonation • Priv. escalation by exploiting vulnerabilities• Own privilege abuse • Social engineering attacks • Colluding attacks
![Page 31: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/31.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 31
Information-Centric Modeling • University at Buffalo- CEISARE
– Developed the concept of a Capability Acquisition Graph for insider threat assessment
– Part of a DARPA initiative– Built a tool called ICMAP (Information-Centric Modeler and Auditor
Program)– Publications in ACSAC 2004, IEEE DSN 2005, JCO 2005, IEEE ICC 2006,
IFIP 11.9 Digital Forensics Conference 2007 – CURRICULUM: Computing, mathematical, legal, managerial and
informatics – Various CAEs (certified by NSA, DHS), USMA, Syracuse, Buffalo, Stony
Brook, Polytechnic, Pace, RIT
![Page 32: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/32.jpg)
24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 32
• How is a model instance generated?– Define the scope of the threat– A step-by-step bottom up approach starting with potential targets
• Who constructs the model instance?– A knowledgeable security analyst
• How are costs defined?– Cryptographic access control mechanisms have well-defined costs– Use attack templates, vulnerability reports, attacker’s privilege and
the resources that need to be protected– Low, Medium and High – relative cost assignment
Practical Considerations
![Page 33: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/33.jpg)
3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 200933
Calder- Moir IT Governance Framework
![Page 34: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/34.jpg)
34
Measurement of IT Projects Value and Effectiveness
IT Assessment 1.Validity or Relevance
2.Protectibility 3.Quantifiability 4.Informativeness
5.Generality 6.Transferability 7. Reliability to other parts of
organization
• Effectiveness – Utility– Efficiency– Economy– Control– Security
Assessment of IT Functions
– Strategy– Delivery– Technology– People– Systems
![Page 35: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/35.jpg)
5th December 2007 Cyber assurance for Financial services 35
2(1)(zd)(d)
2(1)(zd)(b)
2(1)(zd)(a)
2(1)(zd)(c)
IndianIT Act
reference
Reliability of information
Compliance
Availability
Integrity
Confidentiality
Efficiency
Effectiveness
IT ActCOBITControl Theory
FrameworkAttributes
IT ServicesIT ServicesObjectives and Certification FrameworkObjectives and Certification Framework
![Page 36: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/36.jpg)
Standards, Standards, Standards
SecurityAuditInteroperabilityInterface
(systems/devises/comm.)
Architecture/Building Blocks/Reusable
HCI (Human Computer Interface)
ProcessEnvironmental
(Physical, Safety)Data Interchange &
mail messagingLayout/Imprint
36
![Page 37: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/37.jpg)
37
Importance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL
MissionMission
Business ObjectivesBusiness Objectives
Business RisksBusiness Risks
Applicable RisksApplicable Risks
Internal ControlsInternal Controls
ReviewReview
![Page 38: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/38.jpg)
38
Gouvernance & AssuranceGouvernance & Assurance Maturity ModelMaturity Model
![Page 39: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/39.jpg)
39
“To determine how much is too much, so that we can implement appropriate security measures to build adequate confidence and
trust”
“To derive a powerful logic for implementing or not implementing a security measure”
Security/Risk Assurance - Expectations
![Page 40: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/40.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 40
IT Security predictions 2010-2011 1.Pirated software*
Pirated software will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware pre-installed. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community.
*IBM's X-Force research team
![Page 41: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/41.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 41
IT Security predictions 2010-11 2.social networks and ups the ante
Social engineering meets social networks and ups the ante for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites.
![Page 42: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/42.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 42
IT Security predictions 2010-2011 3.0 Criminals take to the cloud
Criminals take to the cloud. We have already seen the emergence of “exploits as a service.” In 2010 we will see criminals take to cloud computing to increase their efficiency and effectiveness.
![Page 43: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/43.jpg)
Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 43
IT Security predictions 2010
• a rise in attacks on health care organizations will occur for similar reasons,
• continued attacks on retailers big and small, tax authorities,
• Educational/school systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place
![Page 44: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/44.jpg)
3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 2009 44
Assurance in the PPP Environment
![Page 45: Security architecture rajagiri talk march 2011](https://reader038.vdocument.in/reader038/viewer/2022110302/54b39bd94a795905308b4610/html5/thumbnails/45.jpg)
THANK YOUFor Interaction:
Prof. K. [email protected]
[email protected]@ignou.ac.in
Tele:011-29533068;23219857
Let us Assure Good Cyber Governance & Business Assurance in Cyber Era