Loading in 2 Seconds...
Loading in 2 Seconds...
(ISC)2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Change in enterprise information security strategies for responding to emerging threats 2008.10 Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea
Contents • Change in the recent threats • Expanded Attack • Change in the environment • Change in the strategies • Strategies • Conclusions
1. Change in the recent threats Present Past Ability show-off Clear monetary Goal Customer information Cyber System IT Infra Attack Application User, Social engineering Attacking systems of the target company directly Using a roundabout path
2. Expanded Attack (6) On/Off-line Information leakage (document, USB, PC, backup…) • (4) Attack Users attacker internet Information… (1) System/Application attack Employee/partner (5) DDOS attack Partnership Network (3)Attack using Trusted entity (2)Wireless attack
3. Change in the environment Past Present Autonomously regulating environment Strengthen the government-based legal regulations Government Passive, Sporadic response Positive, collective response Customer Particular department, CIO/CSO’s agenda The whole company, CEO’s agenda Enterprise 5
4. Change in the strategies Past Present Infra-centric Information-centric Technology-centric People-centric Security & Privacy Security Target Company and People Virtual Company & People Baseline-centric Risk-centric Ad-hoc approach Process and Governance Company-own Policy Compliance & Due Diligence
5. Strategies-(1) Information-centric Area of interest Network System Application Threat Dynamic information Information information information Vulnerability Asset information Risk
5. Strategies-(2) People-centric • Who are the core of security risk? • What are their permissions? • How can the risk be reduced ? • Can the number be reduced? • Can their permission be limited? • Will the training be strengthened? • Will the technical control be strengthened? • How can spontaneity be induced? • How can audit and assessment be conducted Area of interest Network System Application Threat Dynamic information information information information Vulnerability Risk
5. Strategies-(3) Security & Privacy • - Analysis & Control of the personal-information treatment process(On & Off-line) • Analysis & Control of people in accordance with the process • Analysis & Control of systems managing and protecting the personal information • Designing personal information protection management framework & architecture generate ,collect Collection /Use limitation Privacy Security Store Collection/Use limitation Openness Consent Identifying purpose Data Quality confidentiality Integrity Availability Openness & Transparency Use Individual Participation Notice Security Management Accountability Transfer Identifying Purpose Destroy System Process
5. Strategies-(4) Virtual Organization New Area -Policy, support, audit, training, certification system for the partner companies -Policy, support, training system for customers Enterprise Asset& People(Old area) Customer Partner company Asset and people
5. Strategies-(5) Risk-Centered • - Equipping with a framework and methodology for managing information risks • Necessity of utilizing a threat-centered risk assessment methodology • Assessing only of the company’s critical assets • Making it simple • Making it a process Enterprise Service Planning Marketing Risk Risk Risk Service/System Operation Service/System Development Risk Risk
5. Strategies-(6) Governance & Process Reviewing the information security programs and policies of the enterprise Secure SDLC Understanding the top risks BODLevel Risk Assessment Dev. & Test Plan Design Analysis Security Management Audit Compliance Ensuring compliance, establishing R&R, performance evaluation Mutual Feedback Audit Executives Level Operation & Check Impleme-ntation Monitoring Secure Operation Operation Security planning, operating, responding to the threats Information security Org. Level
5. Strategies-(7) Compliance & Due Diligence • Understanding related regulation, Law • Planning Plan Do • - Awareness and training • Store and backup Information • Security monitoring • Forensics Compliance Process • Incident handling • Necessity of making preparations for lawsuit countermeasures Check Incident • Compliance check and audit • Certification
6.Conclusion With 2008 being the starting point, information security has become the business issue in Korea Give highest priority to Information & People in information security Construct processes & systems for ensuring compliance with laws and regulations, and for responding to potential lawsuit Do not make the territory of information security narrow Watch the change of the threat and environment carefully, and change strategies accordingly