Information Security Gm Aug09


Published on

best practices approach to information security

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Title Month Year
  • Title Month Year
  • Information Security Gm Aug09

    1. 1. Information Security Considerations and Recommendations for IT Decision Makers and Business Unit General Managers Black Opp Systems John Reno [email_address] August 2009 August 2009 Black Opp Systems
    2. 2. Contents <ul><li>Summary </li></ul><ul><li>Market Environment </li></ul><ul><li>Making Decisions </li></ul><ul><li>Information Security Technology Review </li></ul><ul><li>Resources </li></ul>August 2009 Black Opp Systems Risk Management Policy Management Business Continuity Application Security Compliance Internal Auditing Identity and Access Mgmt Encryption/Key Management Data Loss Prevention Network Monitoring SEIM Endpoint enforcement
    3. 3. Summary <ul><ul><li>Purpose </li></ul></ul><ul><ul><ul><li>Enable IT and security management to operate more effective information security programs </li></ul></ul></ul><ul><ul><ul><li>Provide business unit general managers with context with respect to information security to make better decisions </li></ul></ul></ul><ul><ul><li>Approach </li></ul></ul><ul><ul><ul><li>Evaluation of the information security market, business needs and infrastructure trends </li></ul></ul></ul><ul><ul><ul><li>Supported by quantitative data from various industry sources </li></ul></ul></ul><ul><ul><ul><ul><li>IDC, Fortune Inc., Symantec, CSI, Ponemon Institute, </li></ul></ul></ul></ul>August 2009 Black Opp Systems
    4. 4. Market Environment – General Observations <ul><ul><li>Information security market (products and services) </li></ul></ul><ul><ul><ul><li>Fragmented, high growth, constantly evolving </li></ul></ul></ul><ul><ul><ul><li>Information security becoming a component of risk management </li></ul></ul></ul><ul><ul><li>Typical attitude </li></ul></ul><ul><ul><ul><li>Information security spending remains a priority </li></ul></ul></ul><ul><ul><ul><li>Do not want another product to manage </li></ul></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><ul><li>Start-up driven innovation </li></ul></ul></ul><ul><ul><ul><ul><li>Point solutions </li></ul></ul></ul></ul><ul><ul><ul><li>No silver bullet </li></ul></ul></ul><ul><ul><ul><ul><li>Lots of process in every solution </li></ul></ul></ul></ul>August 2009 Black Opp Systems
    5. 5. Market Environment –Information security system best practices Business Requirements Life Cycle Review Business Drivers Policy Risks Requirements Definition Strategy Risk model Data map Control map Control Implement Manage Audit Business Enablement August 2009 Black Opp Systems
    6. 6. Market Environment – Information security system <ul><ul><li>Best practices </li></ul></ul><ul><ul><ul><li>Driven by business requirements </li></ul></ul></ul><ul><ul><ul><li>Focus on risk reduction </li></ul></ul></ul><ul><ul><ul><li>Security program driven by policy </li></ul></ul></ul><ul><ul><ul><li>Management through analysis of metrics </li></ul></ul></ul><ul><ul><ul><li>Results in business enablement </li></ul></ul></ul><ul><ul><li>Common shortcomings </li></ul></ul><ul><ul><ul><li>Focus on technology rather than process </li></ul></ul></ul><ul><ul><ul><li>Decisions driven by fear </li></ul></ul></ul><ul><ul><ul><li>Event orientation around regulatory compliance </li></ul></ul></ul><ul><ul><ul><li>Ad-hoc staffing, responsibilities and policies </li></ul></ul></ul><ul><ul><ul><li>Restricts business agility, growth and income </li></ul></ul></ul>August 2009 Black Opp Systems
    7. 7. Market Environment – Representative issues August 2009 Black Opp Systems Supplier Customer Shopping Purchasing Using and Maintaining Marketing Selling Shipping Service and Support Design Development Payables Receivables Receiving Collaborative Commerce Intellectual Property Search, Discovery, Offering Reputation Trusted Transactions Integrity Electronic Funds Transfer Value Logistics/Supply Chain Management Theft Customer Relationship Management Privacy
    8. 8. Market Environment – Information security system <ul><li>Where security programs often go wrong </li></ul><ul><ul><li>Flawed understanding environmental conditions </li></ul></ul><ul><ul><ul><li>Why are so many security products ineffective? Asymmetric information favors attacker </li></ul></ul></ul><ul><ul><ul><li>Failure to recognize that: </li></ul></ul></ul><ul><ul><ul><ul><li>Trust management is an arms race, risk management is manageable (and manageable at a profit) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Risk control encapsulates trust </li></ul></ul></ul></ul><ul><ul><li>Flawed understanding security system requirements </li></ul></ul><ul><ul><ul><li>Primary system requirements are always security, scalability and integration </li></ul></ul></ul><ul><ul><ul><li>Only platform vendors can deliver security that is integrated enough to scale and invisible enough to ignore </li></ul></ul></ul><ul><ul><li>Flawed understanding of process </li></ul></ul><ul><ul><ul><li>Security is a means and not an end </li></ul></ul></ul>August 2009 Black Opp Systems
    9. 9. Market Environment – Threat evolution August 2009 Black Opp Systems Examples: Trends: => Attackers focus on the network layer => Proliferation of worms => Dissolving network perimeter => Attackers focus on the application layer => Attackers shift to client side attacks
    10. 10. Market Environment – Threat Economy August 2009 Black Opp Systems Writers Middle Men Second Stage Abusers Bot-Net Management: For Rent, for Lease, for Sale Bot-Net Creation Personal Information Electronic IP Leakage Worms Spyware Tool and Toolkit Writers Viruses Trojans Malware Writers First Stage Abusers Machine Harvesting Information Harvesting Hacker/Direct Attack Internal Theft: Abuse of Privilege Information Brokerage Spammer Phisher Extortionist/ DDoS-for-Hire Pharmer/DNS Poisoning Identity Theft Compromised Host and Application End Value Financial Fraud Commercial Sales Fraudulent Sales Advertising Revenue Espionage (Corporate/ Government) Fame Extorted Pay-Offs Theft
    11. 11. Market Environment – Compliance Structure August 2009 Black Opp Systems FISMA HIPAA SOX GLB INTEL COMSEC DoD ISO PCI SP 800-53 DCID NSA Req DoD IA Controls 17799/ 27001 DSS Guide SP 800-68 DISA STIGS NSA Guides Risk Management , Policy, Controls and Configuration Guidance
    12. 12. Market Environment – Information security system <ul><ul><li>Threat landscape </li></ul></ul><ul><ul><ul><li>Cybercrime </li></ul></ul></ul><ul><ul><ul><li>Internal malicious activity </li></ul></ul></ul><ul><ul><ul><li>Business partners </li></ul></ul></ul><ul><ul><li>Key concerns </li></ul></ul><ul><ul><ul><li>Brand protection </li></ul></ul></ul><ul><ul><ul><li>Risk reduction </li></ul></ul></ul><ul><ul><ul><li>Service availability </li></ul></ul></ul><ul><ul><ul><li>Employee productivity </li></ul></ul></ul><ul><ul><ul><li>Regulatory fines </li></ul></ul></ul><ul><ul><ul><li>Reputational damage </li></ul></ul></ul>August 2009 Black Opp Systems
    13. 13. Market Environment -The customer security system: product and service categories August 2009 Black Opp Systems Security Products Risk management Policy management Business continuity Application security Data security Encryption Endpoint and network enforcement SEIM/monitoring Security services Risk management Policy development Assessment Compliance Audit Architecture Implementation
    14. 14. Market Environment – Representative Security Framework (NIST) August 2009 Black Opp Systems Security Life Cycle SP 800-39 Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP 800-53A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP 800-60 CATEGORIZE Information System Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 / SP 800-53A MONITOR Security State SP 800-37 AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP 800-70 FIPS 200 / SP 800-53 SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. ASSESS Security Controls CATEGORIZE Information System MONITOR Security State AUTHORIZE Information System IMPLEMENT Security Controls
    15. 15. Market Environment – Security and Compliance Best Practices <ul><li>Assure appropriate management structure is in place to oversee security and compliance </li></ul><ul><li>Establish policies, procedures and standards </li></ul><ul><li>Communicate policies and procedures to all stakeholders </li></ul><ul><li>Ensure security and compliance policies and procedures are being executed </li></ul><ul><li>Enforce the policies, standards, and procedures consistently through appropriate process, controls and automation </li></ul><ul><li>Implement a feedback loop to enable monitoring and modifications </li></ul><ul><ul><li>Establish that due diligence is made to provide appropriate security and compliance </li></ul></ul>August 2009 Black Opp Systems
    16. 16. Making Decisions <ul><li>Decision making process </li></ul><ul><ul><li>Understand the business conditions </li></ul></ul><ul><ul><ul><li>Team capability, operating environment, threat model, business drivers, etc. </li></ul></ul></ul><ul><ul><li>Determine the requirements for success </li></ul></ul><ul><ul><ul><li>Business goals, security requirements, operational metrics </li></ul></ul></ul><ul><ul><li>Identify potential solutions </li></ul></ul><ul><ul><ul><li>Usually three or four reasonable choices </li></ul></ul></ul><ul><ul><li>Quantitatively model the business impact of each solution </li></ul></ul><ul><ul><ul><li>Need to account for uncertainty associated with each choice </li></ul></ul></ul><ul><ul><li>Choose the optimal solution </li></ul></ul>August 2009 Black Opp Systems
    17. 17. Making Decisions <ul><li>Illustrating the decision making process through an example </li></ul><ul><ul><li>Company </li></ul></ul><ul><ul><ul><li>Major storage equipment supplier </li></ul></ul></ul><ul><ul><li>Organization </li></ul></ul><ul><ul><ul><li>Information technology and security operations </li></ul></ul></ul><ul><ul><li>Problem </li></ul></ul><ul><ul><ul><li>Save 25% in annual operating costs achieving compliance </li></ul></ul></ul><ul><ul><ul><li>Measure the business value of the project </li></ul></ul></ul>August 2009 Black Opp Systems
    18. 18. Making Decisions <ul><li>Business conditions </li></ul><ul><ul><li>IT and security organization </li></ul></ul><ul><ul><ul><li>General reputation for technical excellence </li></ul></ul></ul><ul><ul><ul><li>Cost reduction for compliance identified as key project for overall organization savings </li></ul></ul></ul><ul><ul><ul><li>Project plan in process with TCO and ROI as key metrics </li></ul></ul></ul><ul><ul><li>Issues </li></ul></ul><ul><ul><ul><li>Was the proposed project plan the most effective? </li></ul></ul></ul><ul><ul><ul><li>Were there more effective and efficient alternatives? </li></ul></ul></ul><ul><ul><ul><li>What was the value contributed to the business by doing the project? </li></ul></ul></ul>August 2009 Black Opp Systems
    19. 19. Making Decisions <ul><li>Current conditions </li></ul><ul><ul><li>Status quo approach to the problem </li></ul></ul><ul><ul><ul><li>Reduce costs through headcount reductions </li></ul></ul></ul><ul><ul><ul><li>Meet ROI and TCO goals </li></ul></ul></ul><ul><ul><li>Issues </li></ul></ul><ul><ul><ul><li>No systematic measure of business value </li></ul></ul></ul><ul><ul><ul><li>Lacking ability to quantitatively predict whether cost reduction targets could be met </li></ul></ul></ul>August 2009 Black Opp Systems
    20. 20. Making Decisions <ul><li>Decision making approach </li></ul><ul><ul><li>Understand current system characteristics </li></ul></ul><ul><ul><li>Acquire qualitative and quantitative data </li></ul></ul><ul><ul><li>Develop model of operational cost over a three year time period considering viable options </li></ul></ul><ul><ul><li>Develop model of business value and drivers over three years considering viable options </li></ul></ul><ul><ul><li>Evaluate NPV, ROI and TCO of viable plans </li></ul></ul><ul><ul><li>Move forward with actions required to meet goals and best practices to be applied </li></ul></ul>August 2009 Black Opp Systems
    21. 21. Information Security Technology Review <ul><li>Discussion around the following areas </li></ul>August 2009 Black Opp Systems Risk Management Policy Management Business Continuity Application Security Compliance Internal Auditing Identity and Access Management Encryption/Key Management Data Loss Prevention Network Monitoring SEIM Endpoint Enforcement
    22. 22. Information Security Technology Review <ul><li>Discussion topics </li></ul><ul><ul><li>Best practices </li></ul></ul><ul><ul><li>Business impact </li></ul></ul><ul><ul><li>Process </li></ul></ul><ul><ul><li>Scalability </li></ul></ul><ul><ul><li>Integration </li></ul></ul><ul><ul><li>Product vendors </li></ul></ul><ul><ul><li>Service vendors </li></ul></ul>August 2009 Black Opp Systems
    23. 23. Resources <ul><li>Threat environment </li></ul><ul><ul><li>OSF Dataloss DB </li></ul></ul><ul><ul><li>Symantec Internet threat report </li></ul></ul><ul><li>Security practices </li></ul><ul><ul><li>CSI </li></ul></ul><ul><ul><li>Verizon Business </li></ul></ul><ul><li>Business Impact </li></ul><ul><ul><li>Ponemon Institute </li></ul></ul><ul><li>Process guidelines </li></ul><ul><ul><li>NIST </li></ul></ul><ul><ul><li>ISO 17799 </li></ul></ul><ul><li>Application security </li></ul><ul><ul><li>OWASP </li></ul></ul><ul><ul><li>WASC </li></ul></ul>August 2009 Black Opp Systems