Defending the Digital Frontier
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Rudy Giuliani’s call to action PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Defending the Digital Frontier An Overview Mark W. Doll Americas Director, Digital Security Services Ernst & Young LLP. Rudy Giuliani’s call to action.

Download Presentation

Rudy Giuliani’s call to action

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Rudy giuliani s call to action

Defending the Digital FrontierAn OverviewMark W. DollAmericas Director, Digital Security ServicesErnst & Young LLP


Rudy giuliani s call to action

Rudy Giuliani’s call to action

The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream, business-critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.


Additional legislative requirements

Additional legislative requirements

California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been,acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.


The security frontier

The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.

The Security Frontier

High

ProductivityImprovement/Increased Risk

Reliance on ITImpact of Failure

Low

1970s

1980s

1990s

2000s

Low

High

IT UsageProbability of Failure


The digital security gap

Caught up in the pursuit of productivity improvements, management apparently overlooked security.

The Digital Security Gap

High

Total IT Spending

DigitalSecurityGap

TotalSpending

Low

Total Security Spending

1990’s

Time

2000’s


6 key security characteristics

6 Key Security Characteristics


1 aligned digital security

BusinessObjectives

1) Aligned digital security

The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives.

DigitalAssets

The distance between the top levels of management and the security team is known as the Security Management Gap.

Aligned

Information Technology Organization

79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation and follow-through cycle for their information security policies was not being carried out completely.

DigitalSecurity


2 enterprise wide digital security

2) Enterprise-wide digital security

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.

Corporate

86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.


3 continuous digital security

3) Continuous digital security

Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities.

Not occasionally. Not periodically. Continuously.

46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.


4 proactive digital security

4) Proactive digital security

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally.

Periodic Assessment

Ongoing Monitoring

Initial Assessment

Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities

High

Proactive

RiskIntelligence

Traditional

Low

Time


5 validated digital security

5) Validated digital security

3rd Party

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

Validated

Peer

Tested

Self

Deployed

To a Unit

To a Standard

To a Business Objective

66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria or other recognized models.

Rigor of Validation


6 formal digital security

6) Formal digital security

Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.

Documented

Formal

Highly

Documented

Situational

Experienced-based

Minimally

Minimally

Highly

Confirmed

13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.


Executive management must understand

Executive management must understand

  • Scenario-based simulations: Table-top exercises

  • The organization’s response

  • Critical roles and responsibilities

  • Action plans to minimize the effect of an incident

  • Monitor and test responses


Model and define risk establish consistent threat categories

Model and define riskEstablish consistent threat categories

CategoryLevel

Dept. of HomelandSecurity Risk

Digital Impact/Risk

HomelandLevel

Risk toCustomer Segment

5

Severe

Red

Risk to MultipleCustomers

4

High

Orange

Chronic or Seriesof Inefficiencies

3

Elevated

Yellow

Core Process orSystem Shutdown

2

Guarded

Blue

TacticalInefficiencies

1

Low

Green


The fulcrum of control

The fulcrum of control

  • The ability to control & contain digital security incidents is the key to success

  • Management must determine this tipping point or fulcrum and use it to drive their focus

High

ImmediateAction

Fulcrum of Control

5

4

Impact of Occurrence

3

ROIDecision

2

1

Low

Low

High

Frequency of Occurrence


Manage risk for a competitive advantage

Manage risk for a competitive advantage

  • Maintaining digital availability when your competitors in your industry fail is critical for most companies’ long-term success

High

5

4

Impact of Occurrence

3

Company A

Industry

2

1

Low

Low

Frequency of Occurrence

High


Highly effective security cultures

Highly effective security cultures:

  • are chief executive-driven

  • maintain a heightened sense of awareness

  • utilize a digital security guidance council

  • establish timetables for success and monitor progress

  • drive an enterprise-wide approach

The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.


For more information

For more information…

Mark Doll

Americas Director,

Digital Security Services

Ernst & Young LLP

212-773-1265

Or

Web site: ey.com/security

Security Info-line: 888-706-2600


  • Login