Ken is Vice President for CA, Inc. in Canada with over 25 years of experience in the enterprise risk services specializing in enterprise security architectures, information security operations, and regulatory compliance solutions globally within the banking, healthcare, government and telecommunications sector.
Ken manages CA’s Technology Services within the below sectors:
Banking & Finance
Gas & Oil
Electricity & Power
Local, State, Federal
Ken has authored technical security standards for State and Federal Government Agencies, Regional Banks, Regional Telecommunications carriers and authored technology white papers in the area of information security and regulatory compliance.
Prior to CA, Ken was a manager in the KPMG LLP Information Risk Management practice, Chief Security Officer of a international telecommunications provider, and founder of META Security Group .
Extensive past / present credentials:
Certified Fraud Examiner (CFE)
Certified Homeland Security Consultant (CHS)
Certified Information Systems Security Professional (CISSP)
Enterprise security is a quality that must be embedded into all corporate functions.
We are experiencing a convergence of the need for reliability, privacy and accountability.
Commerce and IT are interconnected in ways that could not have been envisioned a generation ago.
Data security and privacy concerns are pervasive, while threats include situations that are simultaneously intentional and difficult to quantify and anticipate.
The only logical response to the requirement to maintain financial integrity, investor confidence and sustainable operations, is a program with a comprehensive approach to corporate governance as it relates to information management, security and availability.
Deliver instant security for regulatory compliance
Securely manage events and take action
Today’s Business Challenges Lack of transparency into business processes, business data and IT operations leads to lack of required corporate oversight Unavailable business-critical applications and processes Inefficient and labor-intensive operations; insufficient information on for budgeting and planning Security breaches; loss of critical business data; inconsistent processes Uninformed procurement; unnecessary hardware and software Governance Compliance Operating Costs Capital Costs Losses/Risk Downtime Agility and Time to Market Slow and costly change, inflexible business processes Fines and/or sanctions for non-compliance These issues have been top-of-mind for the last several years, and remain so today
The result is a lack of alignment between IT and business needs
To Meet These Challenges, IT Must Evolve “ 95% of IT organizations still create IT strategic plans without fully understanding the business benefits … It is these plans that fall by the wayside … CIOs must create more focused, business-friendly, and actionable plans.” --Meta (March 2005)
To date, CIOs have not had the tools available to:
Create a business-driven IT organization
Solve business challenges, and
Manage IT operations like a business
This is the mandate for the next phase of IT evolution
Business Impact of IAM Functionality Provisioning & Federated Identity USER SATISFACTION Audit Delegated Administration & Self-Service Password Management Single Sign-On Registration & Enrollment Authentication and Authorization Information Consolidation REGULATORY COMPLIANCE RISK MANAGMENT OPERATIONAL EFFICIENCY COST CONTAINMENT BUSINESS FACILITATION
Enterprise IT Management Vision To Manage & Secure It All Application Environments Assets Users Business Processes IT Services IT Processes & Best Practices Security Management Enterprise Systems Management Business Service Optimization Storage Management
Enterprise IT Management (EITM) is CA’s vision and strategy for integrated IT management across traditionally distinct IT disciplines
Optimizes and automates the performance, reliability, high-availability and efficiency of enterprise IT environments.
Enables our customers to deliver IT seamlessly as a service and reduces TCO
Leverages common services and a central management database that provides a unified view of all aspects of the enterprise
EITM is supported by CA and partners and is based on industry best practices
Step 1: Define Your Business Operations and Needs
Business Enablement and protection
Protect the entity’s IT assets in open global network environment
Secure current infrastructure
Include security in ongoing development
Include security in ongoing implementation
Effective deployment of security technology to increase effectiveness and efficiency of security processes
Protect intellectual property
The strategic business objectives should be mapped to the strategic vision, mission and service objectives for the security organization. Impact on Security Objectives Business Objectives
Increase sales and expand to new markets
Extend the enterprise
Technology enable the organization
Increase Customer satisfaction
Enhance business processes
Step 2: Determine Overall Maturity Level 2 Information Delivery Maturity Level Centralized Access to Data content & applications Level 1 DATA INFORMATION Refine, analyze & sort data delivering security information Value (Cost too!) SECURITY MONITORING Level 4 Level 3 Apply business relevance to information to determine business priorities! KNOWLEDGE ACTION Act on real business knowledge in a single place according to business need SECURITY MANAGEMENT Providing Situational Awareness Security Command Center
Focus on producing a baseline blueprint, developing a high level target state, and IS strategy alignment.
Migration Plan Architecture Documentation Resource Plan How should we get there? Organization and Core Competencies Where are we today? Technology Environment Information and Process Support Applications Communications Networks Process State Information State What should we look like? Organization State IT Technology State Information Technology Architecture & Processes Business Operations & Needs Security Vision & Mission Alignment IS Strategy Existing Baseline Target State Alignment Project Planning and Management IS BU
Create Modify Delete Policy Verification Add Access Rights Change Access Rights Remove Access Rights Provisioning Business Rules Engine – Roles Engine Standards and policies
Define self-registration policy
Define delegated managers
Define federated trust
Identity Management Internal Identity Mgt Processes Standards and policies
Define authoritative sources
Role Management Open Service Request Workflow Open Service Request Workflow
Service request approved (if required)
Workflow Process Followed
Separation of Duties Checked
Workflow Process Followed
Multiple Approvers (0 or many) Multiple Approvers (1 or many) HR Feed Delegated mgt Self management SPML Request New Hire Transfer Termination
Attributes Received from Authoritative Source
Unique Identifier Established or Checked
Roles Legend Applications Developer End User Internal Audit Manager Security Manager Application Manager HR IT Operations Manager Business Manager Close Request Log Events
Step 6: Develop a Blueprint ROI Component Level Technical Capabilities IT Organizational Characteristics Virtual Identity Directory
Focused on Traditional Services
Slow to Handle Change
Informal and Reactive Processes
Active Enterprise Identity Inventory Password Policy Enforcement Centralized Password Management Self-serve Password Reset Password Management System System/App Level Mgt of Users Consistent Cross-platform Web Interface Manual User Export from HR System Efficient
Change in Business Priorities
IT Change Driven by Cost / Regulatory Pressure
Commitment to Centralization and Automation
Adopts ITIL Svc Mgt to Formalize Processes
Automated Identity Provisioning Workflow Process Automation Correlation with Authoritative Source (i.e. HR) Entitlement & Change Report Generation Web/Desktop Password Reset Identity Management System Workflow Engine Web forms, Rules Identity Reporting System Delegated User Administration Feeds from HR Authoritative Source Integration With Key Identity Systems
IT Now Involved in Business Change Planning
Manages to SLA and Controls
Integrated Enterprise-wide IT Management
Tracks Performance of Processes
Responsive Automated Identity & Role Processing Entitlements Exception Reporting Syncs Multiple Authoritative Srcs (e.g. Contractors) Self-serve Registration Process Role Management System Feeds from All Authoritative Sources Business Application Provisioning Workflow for Application Security Review Role-based Entitlements Management Application Directory Integration Integration With Business Apps & Infrastructure Entitlement Synchronization System Business-Driven
Ready for Business-Driven Change
Rapidly Support New Services and Customers
Enables Support for Growing Partner Ecosystem
Automated Process Improvement
Web Services Security Interoperability w/SPML & Enabling SAML Automated Resource Provisioning Federated Trust Management Provisioning Authentication Technologies Web Services Business Integration Integration With Building Access Systems Partner Identity Management Integrated Business Processes CMDB Integration Reduced cost in partner access and change management Reduced cost in business application and compliance due to automation of role and entitlement management Administrative cost savings due to automation of processes for identity management Reduced helpdesk costs with automated password management
Step 7: Initiate Transition To Next Level Of Maturity
Once you have built the security program you must maintain it at an appropriate level while continuing to evolve it for the next business generation.
A security communication process and regular plan
“ Ease of Use” and practical solutions and approaches
Process based capabilities focus versus technology/project/initiative focus
Architectural models with reusable, scalable components
Foundation built on principles
Business Units actively involved in self assessment, risk assessment and awareness
Funding and resource levels appropriate with business risk profile, with differentiation between maintaining current capabilities (IS budget) and new capabilities for new changes in BU operations (BU or IT budget)
Connection to the business units and alignment of strategies and priorities
Monitoring and feedback loop with enforcement
Measurement system focused on performance management not statistics
Executive focus, sponsorship and reinforcement
BU ownership of security and requirements with IT delivering the services
BU leadership evaluated on security performance through individual and BU results (charge units for failure to comply)
Interfaces and formalized communications among the related parties (audit, legal, compliance, technology)
Focusing Across Key Areas of IT Security … Privacy Identity and Access Management Threat Management Intelligent Security Management
Provides Sustainable Security Management Alerts Correlate Align to Business Attack New Attack IDS Sensors AV Alerts FW Messages Host Logs Check Assets & Vulnerabilities Prioritize to Business Level Initiate Remediation Actions Resolution Remediate Netsky Bagel Mydoom Data Discovery
Provides Sustainable Security Management Alerts Correlate Align to Business Attack New Attack IDS Sensors AV Alerts FW Messages Host Logs Check Assets & Vulnerabilities Prioritize to Business Level Initiate Remediation Actions Discovery Resolution Remediate Netsky Bagel Mydoom Data Security needs to help organizations understand what is happening and how it relates to the business
Organization requires an analysis of external audit results.
Provide a gap analysis utilizing EDM - Maturity Model tools.
Develop a solution blueprint for Identity and Access Management based upon Integrated Information Technology Flows (IIF).
Develop Solution Architecture Overview (SAO).
L H M M L H H Regulatory Non-Compliance Overall Current Risk Loss of Reputation Downtime Probability of Occurrence Impact Factor Current Maturity With Respect to Leading Practices Maturity Aggregate Impact and Probability Description: Control is not in place with no current plans to implement. 0 Control is not in place with approved plans to implement. 1 Control is partially in place with no current plans to implement. 2 Control is partially in place with approved plans to implement. 3 Control is in place with exceptions. 4 Control is in place without exceptions. 5