122 May 2009Solving Problems That Don’t Exist!building better security practicesRafal M. LosSolutions Specialist, HP ASC

Session OverviewIn today's enterprise, Web Application Security has come front and center for security managers as well as the business. The reason many well-funded, well-backed programs fail is because they miss the fundamental rule of problem solving – understand the problem. The secret to success is simple – understand your business context and build a program around that.How can you develop an actionable, business-risk driven program for your enterprise? Understanding your role within the business is key, followed by successful identification of a cornerstone upon which to base the program. Evaluating data value, application visibility and business exposure one step at-a-time, and assigning real, measurable risk are the necessary steps to making sure your program is well-grounded in business value. Participants will be given a strong foundation to succeed, so they don't end up solving problems the business doesn't have.

FundamentalsSecurity is all about mitigating riskRisk is a high-complexity problemIT alonecan not eliminate riskSecurity must work through the business

Knowing Your RoleRole is fundamental to problem solvingWhere you report into your organization makes a big differenceIdentify your function and capacityIs security tactical or strategic?Is security a business stake-holder?

Identifying a CornerstoneBuild your program on a key principleYou must answer this question:“Why does the business care about security?”External compliance or regulationsInternal governance requirementsCompetitive differentiator/advantageIncident prevention

Security Program CharterPublish a charter documentApply these 5 key knowledge pointsFocus on the cornerstoneUse content & context for business metricsPublish the risk profile componentsEmphasize transparencyFocus on building business valueThis is your road map to success

Business Value MetricsDefinition: metrics which can meaningfully quantify the business value proposition of risk mitigationKeys to good metrics:Must be business-input drivenUniformity of perspectiveMust never allow for “maybe”

Context & ContentAssign concrete values to $Rn and $VContent – Monetary value of data asset ($V)Context –Assign asset value relative to environmentValue Ratio:Data ValueAsset ($Vn)= $Rntotal assets ($Vt)

Context & ContentSite VisibilitySite Visibility (Vis): Metric derived from an identification of the public awareness of the siteContext – 3 Categories High – Publicized, indexed, well-linkedexample: company storefrontModerate – Indexed, searchable, sparsely linkedLow – Non-indexed, private, non-linkedContent – How desired is the data in the site?

High – Publicized, indexed, well-linked

example: company storefront

Moderate – Indexed, searchable, sparsely linked

Low – Non-indexed, private, non-linked

Context & ContentBusiness Exposure (Exp): Public business risk profile derived from the dynamics of the business unitHigh | Moderate | LowContext – What line of business is the company/unit in?How does the line of business contribute to the amount of risk the company undertakes in daily operations?Consider your business’s risk management group your best allyBusiness Exposure

Context & ContentAcme Credit CompanyAcme Credit Company processes credit card transactions, and thus stores and processes hundreds of millions of credit cards weekly. Web site An is a portal for merchant processing of credit and debit payments, temporarily storing as many as one million credit cards for processing per day; this is the Acme Co’s primary business.$Rn = .8 (most of the company’s total assets are here)$V = $10,000,000 (business value of 1 million records)Vis = Moderate (indexed, searchable, but non-publicized site)Exp = High (credit card processors are a big target)Case Study

Building Risk ProfilesAllows for mathematically derived priorities based on business-driven inputGoals:Transparency: formula for deriving priority metric is publishedObjectivity: real numbers remove biasEach site must have a risk profilePrioritization Matrix

Building Risk ProfilesPrioritization MatrixAssigning Values to the Matrix$V = Direct dollar-value of asset$R = Computed ratioVis valuesExp values

Building Risk ProfilesHow does priority get computed?Priority = Log10 ($V x $R x Vis x Exp)Heavily weighted to data valueRightfully so! Data value is important$R works to segregate sites within a businessVis and Exp work to distinguish between multiple businessesThe Formula

Building Risk ProfilesThe formula is not a Silver Bullet Prioritization addresses business value (of a site) objectivelyAddressing business value increases the chance of your program’s successYour Goal: risk reduction and business valueThe Formula

ExecutingDemonstrate business understandingContinue a two-way conversationBe ready to change strategies with the business

Questions?Click on the questions tab on your screen, type in your question (and name if you wish) and hit submit.