Download
1 / 43
430 likes | 700 Views
Projected B2B eCommerce Growth. Gartner 7.3 Trillion. Ovum 1.4 Trillion. Forrester 6.3 Trillion. Goldman 3.2 Trillion. emarketer 2.8 Trillion. 2004 Predictions. Internet Users Worldwide. Source: IDC. Risk Management In Perspective - Drivers. New TechnologiesWeb presenceOnline transactionsDelivery of professional services via the InternetNew RisksCyber-extortionNetwork security breachesLitigationLoss of
E N D
2. Projected B2B eCommerce Growth
3. Internet Users Worldwide
4. Risk Management In Perspective - Drivers New Technologies
Web presence
Online transactions
Delivery of professional services via the Internet
New Risks
Cyber-extortion
Network security breaches
Litigation
Loss of intangible information
Dependence on third party service providers
5. The Problem 85% of Companies report at least one Computer Security Breaches last year
90% report Vandalism attacks
78% report Denial of Service attacks
64% Acknowledged financial losses due to these attacks
Average loss: $2,000,000
Melissa = $80 million total
Denial of Service (Mafia Boy) = $1.2 billion
Love Bug - $10 billion
Statistical data provided by CSI/FBI 2001 report
6. The Computer Attack Risks Loss or damage to Data
Legal Liability to Others
Loss or damage to Reputation
Loss of Market capitalization and resulting Shareholder lawsuits
7. Foundations Managing risk includes the following components:
Accept
Mitigate
Transfer a portion of the risk to an insurance underwriter
8. Electronic Commerce: A Paradigm Shift Traditional Commerce
Centralized systems in glass house
Economy of scale
Managed risk
Security says NO Electronic Commerce
Distributed systems everywhere
Economy of dispersion
Distributed risk
Security is an enabler
9. Business Drivers for Security The effect of the Internet on banking and financial services
Movement from information silos to information integration
Holistic view of risk management
Increasing global regulatory oversight
Effect of GLBA
Increasingly proactive regulatory agencies and audits
More pervasive and complex technologies
10. The Four Foundations of Protection People
Board and management commitment, dedicated technical personnel, crisis management team all in place and active!
Process
Enterprise ISO7799 ready, on-going management, employee education and regular training, patch management.
Technology
Monitoring/log review, DMZ zones, firewall, anti-virus software, intrusion detection systems, remote access two factor authentication, audit trails.
11. 11 The Overriding Objective
12. People Success Factors Set up the right organization
13. Organizational Placement of IT Security Report separately from IT (Audit, Security, Legal, Finance)
Report directly to CIO/Head of Technology
Report into CTO/Operations
Part time function
Split function
14. Roles and Responsibilities Set policy/standards/guidance
Act as internal consultant
Perform system/security operations
Provide oversight over outsourced/third party technology providers
Conduct/manage assessments and audits
15. Ownership What to centralize:
Policy, standards, guidance
Test and validation of security
Cross-enterprise coordination
System-wide administration
What to decentralize:
Accountability
Risk acceptance
User access administration
16. People Success Factors Set up the right organization
Get good people and train them adequately
17. Security Must Add Value Facilitate, dont obfuscate
Be a perpetual student
Provide solutions to business needs
Communicate, communicate, communicate
Be an agent of change
Focus on operational excellence
Treat risk as part of the business equation
Clearly articulate what is expected
18. What Is the Scope? Make security enterprise-wide
and coordinated with all business units
Focus early in the product/software life cycle
Enlist allies:
Business units
Legal
Operations
Risk management
Earn your budget!
19. Preach Security Awareness Educated management
Understand risk
To the enterprise
To the given business
To the individual
Application of security standards
In the software development life cycle
In the management of platforms
20. People Success Factors Set up the right organization
Get the good people and train them adequately
Get management commitment
21. Articulate Risk in Business Terms Value of the asset
Probability of a loss
Likely cost over time
22. Control Analogy: ATM versus Internet Known and limited number of customer entry points
Two-factor authentication required (card plus PIN)
Camera recording all activity
Limited amount of cash available for withdrawal
Full audit trail of all activity
Physical limits to bulk fraud
Customer cannot stop an initiated transaction
Settlement and problem resolution processes in place
Customer has receipt to verify transaction
23. Management Involvement Top-level steering committee
Task force
Advisory board
Reporting key performance indicators
Reporting incidents
Compliance checking
24. Process Success Factors Put policy and standards in place
25. Security Life Cycle Steps
26. Top-level Policy Broad statement of intent
Sets the expectations for compliance
Must acknowledge individual accountability
Culture-dependent
Must cover appropriate use
Must be enforced
27. Standards Describe what to do, not how to do it
Explain the application of policy
Cover all elements of information security
Use existing models (I4 & ISF)
Provide the cornerstone for compliance
28. Guidelines Tell how to meet standards
Are platform- or technology-specific
Provide examples and configuration recommendations
Must be kept up to date
29. Process Success Factors Put policy and standards in place
Build a robust program
30. Desired State of Security Desired state of security: The level of security controls needs to correspond to the value/sensitivity of the underlying information asset: risk-based
Security must:
Be incorporated into the development process
Be part of the overall architecture
Be part of the project management and implementation process
Be part of system administrators and network planners job function
Keep current with technologies because they evolve rapidly. What worked yesterday may not be valuable today (digital certificates, application proxy firewalls, biometrics, IDS)
31. Process Success Factors Put policy and standards in place
Build a robust program
Track metrics for accountability
32. Platform Compliance
33. Security Awareness
34. Operational Statistics
35. Technology Success Factors Protect the perimeter
36. Perimeter Control Firewall technology in place to protect
Concept of a DMZ
Intrusion Detection
Network based
Host based
Standardized system configuration
38. Technology Success Factors Protect the perimeter
Provide consistent security services
39. Consistent Security Services Remote access authentication and authorization
Remote dial in access
Internet access
Business to business links
System management
Lockdown of access
File protection
Security patches
40. Technology Success Factors Protect the perimeter
Provide consistent security services
Capture audit data
41. Audit Trails What to capture
All access to systems
All intrusion attempts
Financial transactions
Access to sensitive data
Uses
Digital forensics
Monitoring of security
Improving performance
42. Information Security as the Foundation for Electronic Commerce The people are the critical components, but they must be supported by management and trained
The process starts with the policy, and concludes with implementation
The technology must be put in place to manage and enforce security
Management commitment is not difficult
if
Metrics: If you cant measure it, you cant control it
Information security bridges the business and the technology
43. The Future In the future, therell be just two kinds of banks the ones on the Internet
