1 / 29

'How can you achieve ongoing Compliance with regard to Information Security ?'

BCS Meeting 4 February 2009, Jersey Museum. 'How can you achieve ongoing Compliance with regard to Information Security ?'. Adrian Wright – Secoda Risk Management. Me. 25+ years in IT 18 years in Information Security 9 years Head of Information Security for Reuters 250,000 systems

lucus
Download Presentation

'How can you achieve ongoing Compliance with regard to Information Security ?'

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BCS Meeting 4 February 2009, Jersey Museum 'How can you achieve ongoing Compliance with regard to Information Security ?' Adrian Wright – Secoda Risk Management

  2. Me • 25+ years in IT • 18 years in Information Security • 9 years Head of Information Security for Reuters • 250,000 systems • 1 million endpoints • 142 countries • 17.5k employees (5k s/w developers, 5k journalists!) • 7 years founder / MD of GRC software company • Speaker and writer on GRC management topics

  3. Finance regulatory involvement • Most of 18 year career in Information Security spent in Finance Sector • Reuters role included government and regulatory consultations on security, regulation and control of encryption, via Head of Regulatory Affairs • Including: • RIPA (Regulation of Investigatory Powers Act) • EU Data Protection Directive • Communications Act • Paper for Geoff Hoon (then IT secretary) on de-restricting encryption • FSA security consultation exercise (early BS7799 proposals) • ENISA (European Network and Information Security Agency) • Historical paradox…

  4. Notable quotes on Compliance “I do have a political agenda. It's to have as few regulations as possible.” Dan Quayle “The trouble with government regulation of the market is that it prohibits capitalistic acts between consenting adults.” Robert Nozick

  5. Its getting worse…

  6. Credit crunch = surge in crime • Motivation to commit crime greatly increases during recession • Financial crisis-driven cybercrime on the increase • As stocks plummet, phishing and malware attacks increase • Phishing turns into Whaling – company executives targeted

  7. Police resources & skills • Cybercrime lacks government priority • Threats of terrorism and economic collapse are diverting political attention elsewhere • Cybercriminals are by contrast, ramping up their activities • Cross-border law enforcement not working • (viz. McKinnon case) • Law enforcement lacks necessary skills and manpower to protect. • Some governments even sponsor information theft and other illegal acts • Officers being poached by private sector, adding to skills shortage • Money laundering and e-gold increasing • NHTCU ceased in 2006 and SOCA not part of UK policing. • New PCeU formed but woefully under-funded (£7m over next 3 years) • By contrast – US budgeted $155m for homeland security in 2008; seeks $200m in 2009 • So – you’re virtually on your own

  8. Increasing data sabotage & cyber extortion

  9. Threat trends • Threat and incident trends: • Increasing data losses • Industrial espionage increasing • Politically-sponsored espionage – wholesale • Growing black economy • organised crime accounting for £20 billion = 1.42% of UK GDP (SOCA 2008) • Hacking no longer a ‘sport’ – all done for financial gain • Mobile workforce • (a) your data is out there • or (b) you need to let them in to access it

  10. How well do we assess risk? National Safety Council – whole USA statistical averages: One year odds of dying as a direct result of:- • Aircraft incident 1 in • Automobile incident – occupant 1 in • Automobile incident – pedestrian 1 in • Hit by lightning 1 in • Flood 1 in • Electrocuted 1 in • Shot by firearm (assault) 1 in • Shot by firearm (self inflicted) 1 in • Some type of accidental trip or fall 1 in • Alcohol 1 in 432,484 19,216 49,139 6,384,000 13,248,000 1,019,642 25,263 17,532 15,614 820,271

  11. You can’t secure everything… • You cannot secure absolutely everything: • “By 2011 the amount of data we produce will exceed the capacity of the world’s storage systems” i.e. 1,800 exabytes (1,800 billion gigabytes) against total storage of 600 exabytes. CAG = 60% (IDC) • In 2012, the total annual volume of IP traffic will reach half a zettabyte[1] IP traffic will nearly double every two years through 2012: increasing by a factor of six from 2007 to 2012. • Replication: businesses hold avg 3-5 copies of all files; 15-20% have more than 10. We need to start de-duplicating now! (Discovery, DPA & FOI implications) • Ownership and value are unknown: • A resource without an owner is, by definition, unsecured. Many critical systems and information are presently going un-owned (examples) • Data classification isn’t happening or is too complex for all staff to use • Risk assessment is still a central, expert, function. Need a simpler way. (1) A zettabyte is 1,000,000,000,000,000,000,000 bytes or 1021; equal to: 1 trillion gigabytes; 1,000 exabytes; 250 billion DVDs. (2) An exabyte is 1,000,000,000,000,000,000 bytes or 1018: equal to: 1 billion gigabytes; 1,000 petabytes; 250 million DVDs.

  12. Investigation of the Problem: The 6 key questions “I keep six honest serving-men (They taught me all I knew); Their names are What and Why and When and How and Where and Who” Rudyard Kipling poem "The Elephant's Child" (1902)

  13. FSA Report – Data Security in Financial Services • Review and report produced by new Financial Crime & Intelligence Division (FCID), formed January 2007 • Group checks firms’ systems and controls for assessing and mitigating risk • Centre of excellence within FSA, advice and intelligence to rest of FSA • Case work on financial crime issues • During 2007, group dealt with 56 cases of reported data loss by financial services firms • Began review programme “to examine how financial services firms in the UK are addressing the risk that their customer data may be lost or stolen and then used to commit fraud or other financial crime”. • Review based on visiting 39 financial services firms; • determine how well they were identifying and tackling risks of data loss Looked at customer data stored on: • Databases • Paper files • Held with 3rd party suppliers

  14. 270+ observations - so what’s most important?

  15. Top Theme: Staff Awareness & Testing

  16. The FSA’s Conclusions to this report: • “Poor data security is currently a serious, widespread and high impact risk to our (the FSA’s) objective to reduce financial crime” • “…there exists a very wide variation between the good practice demonstrated by firms committed to ensuring data security, and the weaknesses seen in firms that are not…” • “…data security in financial services firms needs to be improved significantly” Disappointingly, the report only makes a single passing reference to ISO27001

  17. Work Smarter – Not Harder Change how we do things

  18. Leverage ‘soft skills’ to put security on the agenda • Some ideas: • Some InfoSecurity groups getting people sales trained – ‘soft skills’ • Key people must be press trained • Use business language to communicate your concerns to the Board • War stories – lots to choose from; but only use most relevant ones • Negotiate: better to get agreement on some security than risk no security • Create alliances; the Board wants to hear one coherent message, not dozens • Don’t be the barrier to deployment. Get security into the project process • ‘Surf the indignation’ opportunity window after an incident

  19. ‘Circles of influence’ Incomplete or forgotten tasks Within organisations; managers and functions operate within ‘circles of influence’; each owning specific tasks and responsibilities, and each having limited jurisdiction and scope Danger zone: ‘No man’s land’ Non-owned but potentially vital tasks There will exist - potentially important - tasks and assets that don’t fall within the bailiwick of any of these owners, and consequently go unmanaged and un-secured Additionally, experience shows that managers and functions will sometimes offload responsibilities that don’t fit naturally into their space. Ideally, these will land within another manager’s care, but this is not always so; thereby adding to the problem of unmanaged processes and assets

  20. New tactics: work smarter – not harder • Risk-driven: • Avoid over or under-use of security controls by ensuring that the use of certain controls is driven by the prevailing assessed risks. • Self Service: • ‘‘It’s better to teach a man how to fish than to give him fish.’’ • The assessment and management of Information Security needs to be a primarily self-service process, driven forward by: • Mandate – senior management endorse and command the mission, set into employee’s and manager’s Ts&Cs • Awareness – of the risk drivers, their responsibilities, the mandate, and what needs doing • Training – on how to use the tools, carry out the procedures, and where to get help and advice • Do once – use many: Security ‘building blocks’

  21. The ‘Security Building Block’ approach • The (ISC)² 10 security domains • Security management practices • Access control systems and methodology • Telecommunications and networking security • Cryptography • Security architecture and models • Operations security • Application and systems development security • Physical security • Business continuity and disaster recovery planning • Laws, investigation, and ethics Carry out reviews at division or location level to certify the non system-specific aspects of security and use these certified attributes or ‘domains’ in all subsequent system projects and reviews. identify which controls are System-specific and which are Generic

  22. “If you fail to plan – you plan to fail” • Reality check: • you can’t protect everything • you can’t prevent all breaches occurring • need to be selective about what you protect, and to what degree • plan ahead for when it does go wrong – not if it does • The role of information security has moved from that of trying to prevent all incidents – to that of (1) mitigating the impact, and (2) ensuring a favourable legal or political outcome when things do go wrong • Manual or paper-based approaches are no longer adequate. • Need to automate some risk & compliance processes to achieve the necessary coverage – at today’s speed of change • This means shifting focus to the following: • Faster and more effective incident response and management plans • Get key people press trained • Pre-agree statements and actions with legal teams before anything happens

  23. Putting it all together:A practical Case Study • Major UK financial sector company • 400+ information security policies • 100+ technical standards • Simple data classification by Data Owners • Objectives: • Increase security awareness across the whole Group • Implement improved risk assessment via tools, workshop training, automation • Improve and simplify Data Classification, so all can understand & use • Overhaul of Data Ownership responsibilities to review their systems

  24. Practical example demo • Corporate case study, combining process, people and technology to deliver an automated compliance framework. • Solution incorporated: • policies mapped to people’s roles and circumstances • automated compliance workflow to drive compliance forward low management effort • management scorecard reports show progress, hot spots etc in real time • audit results gathering and staff knowledge testing to verify understanding and actual compliance across the whole business

  25. User Awareness • PCI Awareness Example

  26. Where we need to focus: • Training & Awareness – must include role specific guidance & testing • Written policies - communicated and relevant to staff’s daily work • Staff vetting – focus on junior rather than senior, repeat periodically • Access rights – joiners and leavers, role based access profiles • Control staff use of Internet , Email, P2P, IM • Key-logging devices & software • Laptops, USBs, CDs and other devices – encrypted • Physical security • Disposal of paper-based customer records • Managing third party suppliers & data • Internal Audit skills and expertise

  27. Crisis – or Opportunity? Weiji [way-jhee], modern Chinese for "crisis" "The word "crisis" is composed of two characters:One represents danger, and the other represents opportunity.

  28. adrian.wright@secoda.com 44 (0)8456 4 27001

More Related