1 / 12

System Security Compliance Monitoring Program

System Security Compliance Monitoring Program. Monitoring compliance to corporate information security standards. Pat Hymes First Union Corp. Information Security Policies, Standards and Guidelines. Standards - support corporate policies and define what controls are needed.

savannahj
Download Presentation

System Security Compliance Monitoring Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System SecurityCompliance Monitoring Program Monitoring compliance to corporate information security standards Pat Hymes First Union Corp.

  2. Information Security Policies, Standards and Guidelines Standards - support corporate policies and define what controls are needed Guidelines - describes how to implement controls on a particular platform (e.g., AS/400, Unix, Novell, NT)

  3. The Challenge Are people following the standards? How compliant are our systems with the standards/guidelines? Are weaknesses being identified and addressed? How do we improve the security of our distributed environment?

  4. Why Monitor Compliance? • We have better data to do our job • Enterprises with weak information security controls suffer more than twice as many incidents than Best in Class organizations (1) • Supports proactive identification of weak controls (for correction or sign-off) • Helps satisfy OCC concerns regarding technology risk (1) - European Security Forum, 1998/99 Information Security Status Survey

  5. Considerations Wheat First Union Everen Evergreen The Money Store NT NT NT NT • Thousands of Systems • Multiple IT Departments • Low Security Awareness • Technological Evolution, Complexity • Time to Market Pressures • Immature and Proprietary Controls UNIX UNIX UNIX UNIX AS/400 AS/400 AS/400 AS/400 Novell Novell AS/400 AS/400 Corp Dial-In First Union Enterprise Novell Novell UNIX UNIX NT NT Tandem VMS Corp/I&O Cap Markets Mainframe

  6. Approach • Implement automated tools to assess compliance • Use published security guidelines as criteria • Assign weight to each test (scale: 1-10) • Compute system compliance score • Based on points earned vs. total possible • Pull results to central compliance database • Provide multiple levels of reporting • Re-assess on a regular basis • Assist and support SAs wherever possible “If you don’t know where you’re going, you’ll never know when you get there.” Yogi Berra

  7. Program Evolution Tandem VMS Unix AS/400 Novell NT 6/98 9/98 12/98 3/99 6/99 9/99 12/99 3/00 6/00 • Current State • Compliance tools deployed on over 1200 systems • Monthly reporting to IT management • High level compliance average include in “key management metrics” database • NT rollout just beginning

  8. Benefits to Date • Average (overall) compliance score has increased from 62% to 86% • Lockdown tools & processes have been established • Security awareness and acceptance of accountability of SAs, IT management has increased significantly • Security compliance part of performance reviews • Good relationships established • A foundation for future security initiatives has been established

  9. Sample Chart From Monthly Compliance Report • News…. • Key issues needing attention...

  10. Pains, Gains & By-Products • Compliance monitoring is more than a tool • - Technology + • - People • - Process • It’s okay to start small and build, refine • Set achievable goals • Only use “the hammer” when needed • Measurable results boosts ISD staff morale

  11. Other Metrics Reported • Virus Related • Percentage of file servers, mail servers and desktops with current pattern files • # virus related help desk calls • Future: # viruses cleaned/blocked/eliminated • Laptop Theft • # of unsecured laptops observed by property mgmt guards • Future: Network device security compliance • Future: Unsecured modem metrics • Future: Technology Risk Scorecard for the Director of e-Commerce

  12. Improving System Security Platform Security Guidelines Security Education Information Security Division Consulting/Assistance System Administrators Change Behavior Compliance Monitoring/Enforcement Change Culture Key Components

More Related