Security matters - Knowing the risks

  • 711 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
711
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
9
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security Matters - Knowing the risks... From Compliance to risk management… Is it finally all coming together? Neira Jones Head of Payment Security Barclaycard Global Payment Acceptance 30th June 2011global payment acceptance Leading the - 29March 2011 Safe & Sound - way in secure payments Security Matters2930th June2011 th 11
  • 2. News round up… Sony Travelodge Wordpress Lulzsec ESSEX Epsilon RSA Lush Dropbox Citigroup Lockheed Martin Data breaches have almost become a statistical certaintyglobal payment acceptance Security Matters - 30th June 2011 2
  • 3. Panic!Companies feel under pressure to meet compliance deadlines of one type or another.Panic to implement solutions they believe will address the most visible, urgent or potentiallycostly to ignore regulation looming on the horizon.With requirements evolving, companies find themselves with discrete solutions for PCI DSS,Data Protection, FSA, SOX and others.Many businesses are now on their 2nd or 3rd cycle of trying to automate processes related tocompliance with specific policies, industry standards, and government regulations.RESULT: –  Some successes with initial projects, but short lived, and costly. –  Suppliers often guilty of perpetrating a vicious circle by describing their offering as the next “silver bullet” (expensive to maintain and impossible to integrate or scale) –  Investments in infosec more difficult to secure as sustainability can’t be demonstrated to the Board. –  COMPLIANCE IN SILOSglobal payment acceptance Security Matters - 30th June 2011 3
  • 4. It’s war Jim, but not as we know it...Today’s cybercrime industry has evolved and automated itself toimprove efficiency, scalability, and profitability with a clear intenton obtaining information that can be monetised.The hackers’ best friends are businesses with inadequate andoften outdated information security practices.Cybercrime/ data protection not high on the Board’s agenda.But... Governance & Risk Management are familiar to the Board.global payment acceptance Security Matters - 30th June 2011 4
  • 5. From compliance to risk management...Compliance is about providing evidence that controls are in place and isa tactical exercise to ensure business continuity.Compliance is not inherently risk aware, nor is it economically sensitive.Too much emphasis on compliance can actually increase risk by givingpeople a false sense of security.By connecting control – i.e. compliance - to risk, businesses can achievemajor improvements in their enterprise risk management initiative.global payment acceptance Security Matters - 30th June 2011 5
  • 6. It’s all about risk...the identification, assessment and prioritisation of risksfollowed by coordinated and economical application ofresourcesto minimise, monitor, and control the probability and/orimpact of unfortunate events.Only 4% of breaches assessed in the Verizon BusinessData Breach Investigation Report 2011(DBIR 2011) requireddifficult and expensive protective measures.global payment acceptance Security Matters - 30th June 2011 6
  • 7. Happy 10th Birthday SQL Injection!!!global payment acceptance
  • 8. And now for the science...Malware represented 80% of all data lost in 2010 and withinthat case load, 81% was performed via SQL injections.Hacking represented 89% of records stolen and 76% ofthese were due to lax password management andauthentication procedures.Most data breaches are not discovered by the organisationsuffering the attack.The Verizon DBIR 2011 further claimed that 87% of attackscould be prevented using simple, proactive measures.global payment acceptance Security Matters - 30th June 2011 8
  • 9. Seeing the wood from the trees...The 2011 Verizon DBIR concluded that being preparedremains the best defense against security breaches.Organisations still remain slow in detecting and respondingto incidents.Most organisations that have suffered a breach will haveevidence of it in their logs, but these often get overlookeddue to a lack of staff, tools or processes.global payment acceptance Security Matters - 30th June 2011 9
  • 10. One step at a time...Are my employees taking information outside of the organisation? Howcan they do this?Can I limit access to this information to only those who need it?What types of attackers would be interested in infiltrating my systems?What would they seek? Why?If any web server was compromised, how difficult would it be for anattacker to work its way to those systems containing information? Howeasy would it be to take this information out?How quickly would I know this has happened? How quickly can I stop it?How quickly do I need to respond to the market?global payment acceptance Security Matters - 30th June 2011 10
  • 11. Threat/ scenario modelling is only practiced by a few organisationsglobal payment acceptance
  • 12. We’re all in it together…When card data is stole, consumers are protected...When identities are stolen, it’s personal and it goes viral...global payment acceptance Security Matters - 30th June 2011 12
  • 13. Public social concerns...Preventing crime 94%Protecting personal information 94%NHS 88%Equal rights 88%Improving education 87%National security 87%Environmental issues 87%Protecting freedom of speech 85%Source: ICO Annual Track 2008global payment acceptance Security Matters - 30th June 2011 13
  • 14. To gain understanding and trust, businesses will promote how they safeguard their customers personal information. Investment in information security will be driven by business reality.global payment acceptance
  • 15. What can we learn?Lesson 1: Understand your risk profileLesson 2: Make risk management your objective, compliance will come naturally.Lesson 3: Avoid quick fixes and silos (i.e. don’t panic!)Lesson 4: Automate (i.e. Move into BAU and use GRC)Lesson 5: Educate (and then do it again...)global payment acceptance Security Matters - 30th June 2011 15
  • 16. In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise’s risk appetite and tolerance thresholds.global payment acceptance
  • 17. Barclaycard Risk Reduction ProgrammeOver the past 8 months, Barclaycard and IRM plc have researched anddeveloped a risk reduction programme.PCI DSS is a good information security framework.Use PCI DSS controls in the context of a recognised risk managementframework (i.e. ISO 27001, Cobit, ITIL, CLAS, etc.)The first step is a risk assessment.global payment acceptance Security Matters - 30th June 2011 17
  • 18. Asset classification (asset value)WEIGHT NAME Examples Information, systems or personnel required for the continued operation of 5 Critical the entire enterprise. Information and systems that must be protected under regulatory or industry 4 High compliance requirements. Personnel with access to this data. Information and systems that must be protected as they hold sensitive 3 Medium internal data. Personnel with access to this data. Information and systems used in the daily operation of the business but 2 Low individually not critical. Personnel with access to this data. 1 Public Information in the public domain, systems that are publically accessible.global payment acceptance Security Matters - 30th June 2011 18
  • 19. Risk Weight (likelihood) WEIGHT NAME DEFINITION Most vulnerable areas according to industry profile – Lack of control in this 5 Critical area can result in serious data loss/ fraud and will generally be in violation of industry requirements. Lack of control over implementation of security policies could lead to a serious 4 Severe risk being introduced. This denotes lack of transition to BAU processes for security. Lack of ownership over implemented security policies could lead to a serious 3 High risk being introduced. This denotes lack of control over implemented BAU processes for security. Control failure in this area would result in a breach of internal security 2 Medium processes but other controls are mitigating this risk. Control failure in this area requires immediate or timely attention and process 1 Low in place to deal with it according to risk appetite.global payment acceptance Security Matters - 30th June 2011 19
  • 20. Actual Status WEIGHT NAME DEFINITION Complete absence of any control leaving key assets unprotected or 5 Critical an identified breach. Considered ‘Not in Place’ for PCI DSS. Controls are defined and implemented but are degraded to such an 4 Major Non-Conformity extent that the provide little or no protection. Considered ‘Not in Place’ for PCI DSS. Controls are defined an implemented but are not uniform in their 3 Minor Non-Conformity application or have some defects that need attention. Considered ‘Not in Place’ for PCI DSS. Controls are defined, implemented and effective. Identified some areas that could be considered for improvement. 2 Room for Improvement Considered ‘Room for Improvement’ for PCI DSS. Controls are defined, implemented and effective. No further 1 Satisfactory recommendations. Considered ‘In Place’ for PCI DSS.global payment acceptance Security Matters - 30th June 2011 20
  • 21. Invariably, compliance will become a by-product of risk management.global payment acceptance
  • 22. Don’t spend £100 protecting a £1 asset, know your risk, fix the basics first, and be prepared… Neira Jones Head of Payment Security Barclaycard, Global Payment Acceptance neira.jones@barclaycard.co.uk http://uk.linkedin.com/pub/neira-jones/0/7a5/140 neirajonesglobal payment acceptance