introduction n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction PowerPoint Presentation
Download Presentation
Introduction

Loading in 2 Seconds...

play fullscreen
1 / 28

Introduction - PowerPoint PPT Presentation


  • 55 Views
  • Uploaded on

Introduction. Welcome! Format of day Response to previous requests from clients Amendment to schedule. MWR InfoSecurity The Business Case for Information Security 12 March 2009 Alex Fidgen Ian Shaw. What will we achieve?. Help you gain organisational commitment and justify required spend

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Introduction' - glenda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction
Introduction
  • Welcome!
  • Format of day
  • Response to previous requests from clients
  • Amendment to schedule

Using Information Security for Business Advantage

mwr infosecurity the business case for information security 12 march 2009 alex fidgen ian shaw

MWR InfoSecurity The Business Case for Information Security12 March 2009Alex Fidgen Ian Shaw

what will we achieve
What will we achieve?
  • Help you gain organisational commitment and justify required spend
  • Introduction
  • Part 1 - Visualisation techniques
  • Part 2 - Communication techniques
  • Part 3 - Supporting frameworks

Using Information Security for Business Advantage

introduction1
Introduction
  • Communicating security risk can be very hard in environments without structured metrics
  • The classic chicken and egg scenario
  • We did not want to concentrate on the
  • is there/isn’t there argument for ROI.
problems
Problems
  • Senior Management and Board directors need to increase shareholder value
  • Mature metrics makes it easy to communicateshareholder value based risk
  • Associating technical risks with revenue is impossible without a business context
  • Information security managers with IT backgrounds find it hard to communicate risk at a business level
  • The business seldom understands the value of its information assets
communication
Communication!
  • This is a communication issue!
slide7

Part 1 – Protecting Traditional Assets (Opening the Board’s Eyes to Information Security Spend – Is information security spending in line with traditional asset protection?)

Using Information Security for Business Advantage

questions your board may be asking
Questions your Board may be asking
  • Why do we need to worry about this information security issue?
  • Why is Malware Protection so expensive?
  • Are these costs of doing business online justified?
  • I don’t understand whether this expenditure is justified
  • The following examples have been developed to demonstrate how security is integrated seamlessly into existing business models
  • Try to ignore any immediate reaction to industry sector!

Using Information Security for Business Advantage

typical retail organisation asset protection
Typical Retail Organisation (Asset Protection)

Human Resources

Vetting / References

Internal Audit

Disciplinary Procedure

External Audit

Credit Control

Finance

Secure Cash Handling

Accounting Policies / Standards

Financial Reconciliations

Security Guards

Warehouse / Distribution

Store Detectives

Stock Control

Counterfeit Detection

Safes / Alarms

Shops

Product Integrity*

RFID

Cardwatch

CCTV

Local Crime Schemes

Using Information Security for Business Advantage

* For example: tamper evident jars

typical retail organisation asset protection1
Typical Retail Organisation (Asset Protection)

Human Resources

Vetting / References

Internal Audit

Disciplinary Procedure

External Audit

Credit Control

Finance

Secure Cash Handling

Accounting Policies / Standards

Financial Reconciliations

Security Guards

Warehouse / Distribution

Store Detectives

Stock Control

Counterfeit Detection

Safes / Alarms

Shops

Product Integrity*

RFID

Cardwatch

CCTV

Local Crime Schemes

Using Information Security for Business Advantage

* For example: tamper evident jars

typical e retail information asset protection
Typical E-Retail (Information Asset Protection)

Business Interfaces

Vetting / References

Information Security Policies

Disciplinary Procedure

Build Standards

InfoSec Awareness Training

IT/IS/

Development

Threat Modelling

Anti-Virus

Security in SDLC

Patch Management

Data Storage

Application Testing

Vulnerability Assessment

Penetration Testing

Configuration Reviews

Ecommerce Site

Access Control Reviews

Encryption

Firewalls

Legislative Compliance

Monitoring / Intrusion Detection

Using Information Security for Business Advantage

Using Information Security for Business Advantage

in summary
In Summary
  • Information asset protection still lags behind traditional asset protection
  • Opening the organisation’s eyes to traditional security measures can ‘set the scene’ to introduce information security
  • A simple visualisation technique helps soften attitudes to information security spend

Using Information Security for Business Advantage

part 2 a model for information asset identification and classification
Part 2 – A model for information asset identification and classification

Using Information Security for Business Advantage

part 2 communication of risk
Part 2 - Communication of risk
  • High level abstract link…
  • How best to communicate the risk from this point forward
  • Need to highlight risks that may impact shareholder value
  • Must be flexible and expose risks not currently perceived
  • One technique is threat modelling…plenty of others however

Using Information Security for Business Advantage

risk a quick reminder
Risk – A quick reminder

Threats

Vulnerability

An event that could have a detrimental effect on an asset

A conduit that could be exploited by a threat

Asset

An item of value

Risks

The effect on a business of a risk being realised

BUSINESS IMPACT

what is threat modelling
What is threat modelling
  • Threat Modelling:
    • Grades Threats
    • Allows identification of vulnerabilities
    • Enhances the final calculation of risk
  • Very powerful and business focussed

Using Information Security for Business Advantage

what it can provide
What it can provide:
  • Defence in depth
  • Effective controls with efficient expenditure
  • Asset protection is proportional to the business value
  • Greater measurable returns on security investment

Using Information Security for Business Advantage

case study insurance company
Case Study – Insurance Company
  • In excess of 600 systems
  • Business run in a federated sense
  • There is/was no centralised security management function,
  • Some security testing in the past against core systems
  • No set budget for security
  • Some basic security training, around physical security and access control

Using Information Security for Business Advantage

how the model was formed
How the model was formed..
  • identified the systems and the assets,
  • a high level risk assessment based on the business risk and potential business impact
  • Assignation of a commercial revenue value to each system

Using Information Security for Business Advantage

how the model was formed cont
How the model was formed.. cont
  • All revenue streams documented
  • the most important systems quickly became evident,
  • Allowed focus on the most financially important assets
  • Intangible assets were also assessed (reputation, client satisfaction, employee
  • happiness etc.).
what did this do
What did this do?
  • This made an actual and tangible link to the management team connecting the
  • value of the information assets (within systems) with the value of assigned
  • security spend to identify and manage the risk
  • It open their eyes to the asset value, and made justification of budget almost
  • self fulfilling
part 3 effecting change operational information security
Part 3 – Effecting Change(Operational Information Security)

Using Information Security for Business Advantage

where are we
Where are we?

Information Assets

Threats

Vulnerabilities

Risks

Current Position

+

=

=

Existing Controls

Using Information Security for Business Advantage

what is the appetite for risk
What is the appetite for risk?

Current Position

Where we want to be

STAGE 1

Organisational Changes

-

=

Using Information Security for Business Advantage

stage 1 organisational change
Stage 1 – Organisational Change
  • What is required for successful organisational change
  • Change Plan – how will we know when we arrive?
  • Resources – do we have the resources to achieve the change?
  • Sponsorship – do we have executives backing for change?
  • Support (Culture) – important if exec sponsorship is broken?

Using Information Security for Business Advantage

stage 2 operation
Stage 2 - Operation
  • Measure performance (results not activities)
  • Make changes as necessary
  • Periodically review performance
  • Review measures

Using Information Security for Business Advantage

summary
Summary

Using Information Security for Business Advantage

questions
Questions?

Using Information Security for Business Advantage