Cobit 2


Published on


Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Cobit 2

    1. 1. Managing Information Security Risks Ken M. Shaurette, CISSP, CISA, CISM, IAM Information Security Solutions Manager MPC Security Solutions TechFest December 2003
    2. 2. Agenda <ul><li>Why Security? </li></ul><ul><li>Information Assets </li></ul><ul><li>Threats </li></ul><ul><li>Vulnerabilities </li></ul><ul><li>Dynamic Security Methodology </li></ul><ul><li>Risk Management </li></ul><ul><li>MPC Security Solutions Delivers </li></ul>
    3. 3. <ul><li>Legislation and community pressure </li></ul><ul><li>Inappropriate use leads to disciplinary action. </li></ul><ul><li>Protecting critical infrastructures. (InfraGard, DHS) </li></ul><ul><li>Liability? </li></ul><ul><li>Its simply a good idea! </li></ul>Why Security?
    4. 4. Regulations Touch Everyone! Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.
    5. 5. Once upon a time….
    6. 6. Then things started to get a little ugly….
    7. 7. Security used to be easy to understand <ul><li>Payroll Office…. </li></ul><ul><ul><li>Lock on door </li></ul></ul><ul><ul><li>Lock on file cabinet </li></ul></ul><ul><ul><li>Audits </li></ul></ul><ul><li>Equal Reasonable Security </li></ul>
    8. 8. <ul><li>Active Directory, x.500, NDS, Shadow Passwords </li></ul><ul><li>VPN, PPTP, Telnet, SSH, IPSEC, Encryption </li></ul><ul><li>Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA </li></ul><ul><li>PKI, Kerberos, DES, DES3, SHA, CHAP, PAP </li></ul><ul><li>Client Server, Mainframe, ASP, Web Services </li></ul><ul><li>Thin Client, Thick Client, Skinny Client, Tall Client </li></ul><ul><li>Terminal Server, Distance Learning </li></ul><ul><li>HTTPS, SSL </li></ul>Security is now a little more complex
    9. 9. You know more than you think… <ul><li>Information Security is about Information </li></ul><ul><li>Technology is a piece of the puzzle </li></ul><ul><li>You should not have to master technology in order to manage risk </li></ul>
    10. 10. The “Good” News <ul><li>Technology has become easier and easier to implement </li></ul><ul><ul><li>Anyone can install a server </li></ul></ul><ul><ul><li>Anyone can install a network </li></ul></ul><ul><ul><li>Anyone can bring up a web server </li></ul></ul><ul><ul><li>Anyone can get connected (in lots of ways) </li></ul></ul>
    11. 11. The “Bad” News <ul><li>Technology has become easier and easier to implement </li></ul><ul><ul><li>Anyone can install a server </li></ul></ul><ul><ul><li>Anyone can install a network </li></ul></ul><ul><ul><li>Anyone can bring up a web server </li></ul></ul><ul><ul><li>Anyone can get connected (in lots of ways) </li></ul></ul>
    12. 12. What are we securing against? <ul><li>Identity Theft </li></ul><ul><li>Privacy issues </li></ul><ul><li>Copyright issues </li></ul><ul><li>Hijacking of resources </li></ul><ul><li>Liability </li></ul><ul><li>Regulations </li></ul>
    13. 13. Information Assets <ul><li>Which does your organization have? </li></ul><ul><ul><li>Records about special programs </li></ul></ul><ul><ul><li>Resident’s information </li></ul></ul><ul><ul><li>Financial information </li></ul></ul><ul><ul><li>Health information </li></ul></ul><ul><ul><li>Statistical information </li></ul></ul>
    14. 14. Information Assets <ul><li>How do you identify value ? </li></ul><ul><ul><li>Accounting / “book value” </li></ul></ul><ul><ul><li>Intrinsic value / Replacement Cost </li></ul></ul><ul><ul><li>Formal quantifiable methods (BCP/DRP) </li></ul></ul><ul><ul><li>“Gut feel” </li></ul></ul>
    15. 15. The “Best” News <ul><li>There is hope! </li></ul>
    16. 16. Information Assets <ul><li>What is worth protecting? </li></ul><ul><ul><li>Confidentiality (keeping secrets) </li></ul></ul><ul><ul><li>Integrity (tamper-proofing) </li></ul></ul><ul><ul><li>Availability (there when you need it) </li></ul></ul><ul><li>Why protect? </li></ul><ul><ul><li>Community expectations </li></ul></ul><ul><ul><li>Regulatory requirements </li></ul></ul><ul><ul><li>Perception </li></ul></ul><ul><ul><li>Liability </li></ul></ul>
    17. 17. Information Assets <ul><li>How do you protect? </li></ul><ul><ul><li>“Classification” (secret, top secret, unclassified) </li></ul></ul><ul><ul><li>Policies ( separation of duties, appropriate use) </li></ul></ul><ul><ul><li>“Security Awareness training” </li></ul></ul><ul><ul><li>“Common Sense” or “Second Thought” approach </li></ul></ul>
    18. 18. Information Assets <ul><li>How much do you spend on protection? </li></ul><ul><ul><li>Is it based on the value of the information? </li></ul></ul><ul><ul><li>Is it based on the number and likelihood of threats? </li></ul></ul><ul><ul><li>Are vulnerabilities accounted for? </li></ul></ul><ul><ul><li>How much is enough protection? </li></ul></ul><ul><ul><li>Is Return on Investment (ROI) Expected or Required? </li></ul></ul>
    19. 19. Threats - Motive <ul><li>What is the nature of a threat? </li></ul><ul><ul><li>Confidentiality (learning secrets) </li></ul></ul><ul><ul><li>Integrity (tampering with data) </li></ul></ul><ul><ul><li>Availability (denial of service) </li></ul></ul><ul><li>Who poses a threat to the organization? </li></ul><ul><ul><li>Terrorists </li></ul></ul><ul><ul><li>Former employees </li></ul></ul><ul><ul><li>Unhappy residents </li></ul></ul><ul><ul><li>Hackers </li></ul></ul>
    20. 20. Vulnerabilities <ul><li>Absence or weakness of a safeguard </li></ul><ul><ul><li>Safeguard’s reduce likelihood of expected loss from a threat </li></ul></ul><ul><ul><li>Can be well known, such as an IIS patch </li></ul></ul><ul><ul><li>Can be unknown, such as a design error </li></ul></ul><ul><li>Type of vulnerabilities </li></ul><ul><ul><li>Technical </li></ul></ul><ul><ul><li>Non-technical </li></ul></ul>
    21. 21. Could any of these Occur? <ul><li>Sexual Harassment or stalking performed using your Computers? </li></ul><ul><li>Email Threats to Residents, Officials, Politicians? </li></ul><ul><li>Community questions about how their tax money is being used. </li></ul><ul><li>Community asks how computer systems are being wasted? </li></ul>
    22. 22. ` &quot;What Are The Short Falls?” Dynamic Security Infrastructure &quot; What Is Our Security Policy?” &quot;Implement!&quot; &quot;How Do We Get There?&quot; &quot;Experience Feedback&quot; Compliance Reporting Strategy Definition Security Architecture Deploy Solutions Periodic Re-evaluation &quot;Where Are We Today?&quot; &quot;Where Do We Need to Be?&quot; Baseline Current Security New Risks, Legislation Security Requirements Perform Gap Analysis
    23. 23. Security Risk Management <ul><li>Understand value of information </li></ul><ul><li>Understand the threats </li></ul><ul><li>Understand vulnerabilities and corresponding safeguards </li></ul><ul><li>Invest wisely in appropriate safeguards that reduce the impact of threats. </li></ul><ul><li>Emergency preparedness </li></ul>
    24. 24. Risk Mitigation <ul><li>Understand security risk </li></ul><ul><li>Understand technology </li></ul><ul><li>Accept Risk </li></ul><ul><ul><li>Documentation of risk acceptance is a form of mitigation. </li></ul></ul><ul><li>Defer or transfer risk </li></ul><ul><ul><li>Insurance </li></ul></ul><ul><li>Mitigate risk </li></ul><ul><ul><li>Technology can mitigate risk </li></ul></ul>
    25. 25. How Can MPC Help? <ul><li>Services </li></ul><ul><ul><li>Information Security Operational Planning (ISOP) </li></ul></ul><ul><ul><li>Information Security Assessment Project (SA) </li></ul></ul><ul><ul><li>Security Policy Review and Writing </li></ul></ul><ul><ul><li>Security Risk Management Program </li></ul></ul>
    26. 26. How Can MPC Help? <ul><li>Services </li></ul><ul><ul><li>Network Perimeter Security Sweep (NPSS) </li></ul></ul><ul><ul><li>Internal Network Security Sweep (INSS) </li></ul></ul><ul><ul><li>Secure Network Operations Center (RSMC) for monitoring network, (IDS or Firewall) </li></ul></ul>
    27. 27. How Can MPC Help? <ul><li>Technology </li></ul><ul><ul><li>Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization; (5 th Column) </li></ul></ul><ul><ul><li>Access Controls, (wireless, active directory, NDS, multiple factor authentication); (Novell, Microsoft) </li></ul></ul><ul><ul><li>Filtering & Proxy Tools; (Websense) </li></ul></ul><ul><ul><li>Firewalls; (PIX, Cyberguard) </li></ul></ul>
    28. 28. How Can MPC Help? <ul><li>Technology </li></ul><ul><ul><li>Intrusion Detection/Prevention </li></ul></ul><ul><ul><li>(Host and Network) </li></ul></ul><ul><ul><li>Application Gateways </li></ul></ul><ul><ul><li>IP Video Surveillance </li></ul></ul><ul><ul><li>Secure Network Infrastructure Design </li></ul></ul><ul><ul><li>Wireless Technology </li></ul></ul>
    29. 29. <ul><li>Thank You! </li></ul>