Defending the Digital Frontier An Overview Mark W. Doll Americas Director, Digital Security Services Ernst & Young LLP. Rudy Giuliani’s call to action.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream, business-critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been,acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.The Security Frontier
Reliance on ITImpact of Failure
IT UsageProbability of Failure
Caught up in the pursuit of productivity improvements, management apparently overlooked security.The Digital Security Gap
Total IT Spending
Total Security Spending
Business management apparently overlooked security.Objectives1) Aligned digital security
The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the security team is known as the Security Management Gap.
Information Technology Organization
79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation and follow-through cycle for their information security policies was not being carried out completely.
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.
86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities.
Not occasionally. Not periodically. Continuously.
46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally.
Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
To a Unit
To a Standard
To a Business Objective
66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria or other recognized models.
Rigor of Validation
Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.
13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
Dept. of HomelandSecurity Risk
Risk toCustomer Segment
Risk to MultipleCustomers
Chronic or Seriesof Inefficiencies
Core Process orSystem Shutdown
Fulcrum of Control
Impact of Occurrence
Frequency of Occurrence
Impact of Occurrence
Frequency of Occurrence
The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.
Digital Security Services
Ernst & Young LLP
Web site: ey.com/security
Security Info-line: 888-706-2600