Your SlideShare is downloading. ×
0
Security Architecture Prof. K Subramanian SM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA) Director & Pro...
Global issues with governance of cyberspace <ul><li>Information Technology & Business: current status and future </li></ul...
Oct 27,2010 Future egovIndia  forum Oct 2010 Delhi India <ul><li>Cyberspace is Dynamic, Undefined and Exponential </li></u...
09/27/10
09/27/10 Prof ks@2010 Software architecture series
Fiver tier Architecture for Cyber Space <ul><li>Data Architecture :  </li></ul><ul><ul><li>an overall plan for the data it...
Emerging Technologies -Competitive Environments &  Integration Catering through ICE Technologies 1.  IT 2. BT 3. CT 4. ET ...
Creating Trust in an Enterprise <ul><li>Today's information explosion is creating challenges for business and technology l...
Oct 27,2010 Future egovIndia  forum Oct 2010 Delhi India
Transition: Insurance    Assurance  &  Assurance Layered Framework <ul><li>Insurance </li></ul><ul><li>Audit </li></ul><u...
Transition: Insurance   Assurance  &  Assurance Layered Framework <ul><li>Insurance </li></ul><ul><li>Audit </li></ul><ul...
Why Assurance? Competitive Threats &  Way Forward <ul><li>Internal Competition from Liberalization </li></ul><ul><li>World...
Key Areas of Assurance <ul><li>Organizational </li></ul><ul><ul><li>-  Systems in place to identify & mitigate differing r...
What and Why of Business Assurance <ul><li>Manufacturing:  Developing & implementing policies & procedures to    ensure op...
Assurance Stakeholders Stakeholders for business assurance Board of Directors Management Staff/Employees Organisation Cust...
Benefits of Assurance  <ul><li>Contributes to effectiveness & efficiency of business operations </li></ul><ul><li>Ensures ...
Operational Integration Professional Integration (HR) ‏ Emotional/Cultural Integration ICT &  Government Business & Servic...
Managing Interdependencies Critical  Issues <ul><li>Infrastructure characteristics  (Organizational, operational, temporal...
Towards Information Assurance <ul><li>Increasingly, the goal isn't about information security but about information assura...
Up The Value Chain
Enabling to rapidly move up the  Governance Evolution Staircase Strategy/Policy People Process Technology 3. Transaction C...
Why information security Governance is important <ul><li>  With security incidents and data breaches having a huge impact ...
Threat & Vulnerability Management <ul><li>Authenticating user identities with a range of mechanisms, such as tokens, biome...
Risk Identification <ul><li>Assess current security capabilities, including threat management, vulnerability management, c...
9 Rules of Risk Management <ul><li>There is no return without risk </li></ul><ul><ul><li>Rewards to go to those who take r...
The Insider – Who are They? <ul><li>Who is an insider? </li></ul><ul><ul><li>Those who work for the target organization or...
Solutions Based on Study Recommendations <ul><li>Prevention by  </li></ul><ul><ul><li>Pre-hire screening of employees </li...
General Solution Steps <ul><li>Collect data – notion of insider threat  </li></ul><ul><li>Formulate a model </li></ul><ul>...
Insider Threat Modeling <ul><li>Privilege escalation by impersonation  </li></ul><ul><li>Priv. escalation by exploiting vu...
Information-Centric Modeling  <ul><li>University at Buffalo- CEISARE </li></ul><ul><ul><li>Developed the concept of a Capa...
<ul><li>How is a model instance generated? </li></ul><ul><ul><li>Define the scope of the threat </li></ul></ul><ul><ul><li...
Calder- Moir IT Governance Framework 3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 2009
Measurement of IT  Projects Value and Effectiveness <ul><li>IT Assessment </li></ul><ul><li>1.Validity or Relevance  2.Pro...
5th December 2007 Cyber assurance for Financial services IT Services Objectives and Certification Framework 2(1)(zd)(d) 2(...
Standards, Standards, Standards <ul><li>Security </li></ul><ul><li>Audit </li></ul><ul><li>Interoperability </li></ul><ul>...
Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL Miss...
Gouvernance & Assurance Maturity Model
<ul><li>“ To determine  how much is too much , so that we can implement appropriate security measures to build adequate co...
IT Security predictions 2010-2011  1. Pirated software * <ul><li>      Pirated software  will drive insecurity in much mor...
   IT Security predictions 2010-11  2. social networks and ups the ante  <ul><li>Social engineering meets  social networks...
IT Security predictions 2010-2011  3.0  Criminals take to the cloud <ul><li>Criminals take to the cloud.  We have already ...
IT Security predictions 2010 <ul><li>a rise in attacks on health care organizations will occur for similar reasons,  </li>...
3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 2009 Assurance in the PPP Environment
THANK YOU For  Interaction: Prof. K. Subramanian [email_address] [email_address] [email_address] Tele:011-29533068;2321985...
Upcoming SlideShare
Loading in...5
×

Security architecture rajagiri talk march 2011

430

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
430
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • CXOs &amp; Business Assurance Focus Prof. K. Subramanian 22nd Feb 2006 Security to Assurance ISO 27001 Launch Delhi 04/11/09 Prof. KS@2009, IOD Lecture, March 22, 2009 esecurity Governance~Corporate Governance
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • CXOs &amp; Business Assurance Focus Prof. K. Subramanian 22nd Feb 2006 Security to Assurance ISO 27001 Launch Delhi
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Corporate Governance &amp; Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 IT-Governanc e--&gt; Corporate Governance 29th November 2005 Prof. K. Subramanian @2005 06/29/06 Prof. KS@may 2006--NPC Sikkim Program eGOV Project Management
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 IT-Governanc e--&gt; Corporate Governance 29th November 2005 Prof. K. Subramanian @2005 06/29/06 Prof. KS@may 2006--NPC Sikkim Program eGOV Project Management
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Corporate Goverance &amp; Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 IT-Governanc e--&gt; Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 IT-Governanc e--&gt; Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 eGOV Project Governance Panel 08/04/11 Prof. KS@ sept 2007 ICISA New delhi
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 IT-Governanc e--&gt; Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 By defining the scope of the threat one can identify the various attacks that can happen such as vulnerability exploitation, privilege abuse, social engineering, reaching for a jewel, etc.
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • eGOV Project Governance Panel 08/04/11 Prof. KS@ sept 2007 ICISA New delhi
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007 The development was guided by the Software Engineering Institute’s efforts in the late 80’s in building maturity models for software development. By using such a scale, an organization can determine where it is, define where it wants to go and, if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing, if that data is available, and the organization can determine where emerging international standards and industry best practices are pointing for the effective management of security and control.
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009
  • Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance &amp; AssuranceCyber Governance &amp; Business Assurance may 14,20103/7/2009 Prof. KS@2010 U21G webminarProf. KS@2009 IMT Ghaziabad Lecture march 7 2009 Cybr assurance-Tne need for Technologists &amp; Business of &apos;morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Transcript of "Security architecture rajagiri talk march 2011"

    1. 1. Security Architecture Prof. K Subramanian SM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA) Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU Honorary IT Adviser to CAG of India Ex-DDG(NIC), Ministry of Comm. & IT Emeritus President, eInformation Systems, Security, Audit Association(eISSA) President, Cyber Society of India(Cysi)
    2. 2. Global issues with governance of cyberspace <ul><li>Information Technology & Business: current status and future </li></ul><ul><li>Does IT matter? IT--enabled Business </li></ul><ul><li>- Role of Information, Information Systems </li></ul><ul><li>- In business </li></ul><ul><li>- Role of information technology in enabling business </li></ul><ul><li>- IT dependence </li></ul><ul><li>Changing Role of the CIO </li></ul><ul><li>Web 2.0 and 3.0 and governing cyberspace </li></ul><ul><li>eBusiness, eHealth, eBanking, eGovernance </li></ul><ul><li>Current Challenges and Issues </li></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru
    3. 3. Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India <ul><li>Cyberspace is Dynamic, Undefined and Exponential </li></ul><ul><li>Countries’ need dynamic laws, keeping pace with the technological advancements </li></ul><ul><li>In a Virtual Space, Netizens Exist, Citizens Don’t! </li></ul><ul><li>Trust in E-environments </li></ul><ul><li>Lack of a mature IT society </li></ul><ul><li>Absence of Single governing body </li></ul><ul><li>Legislation </li></ul><ul><li>High skill inventory </li></ul><ul><li>Reduce fear of being caught </li></ul><ul><li>Disgruntled Employees </li></ul>
    4. 4. 09/27/10
    5. 5. 09/27/10 Prof ks@2010 Software architecture series
    6. 6. Fiver tier Architecture for Cyber Space <ul><li>Data Architecture : </li></ul><ul><ul><li>an overall plan for the data items (and their relationships) necessary to deliver e-government. </li></ul></ul><ul><li>Process Architecture : </li></ul><ul><ul><li>a plan of the key activities that e-government will support and undertake . </li></ul></ul><ul><li>Technology Architecture : </li></ul><ul><ul><li>how computers will be sized and connected for e-government, and an outline of the software to be used . </li></ul></ul><ul><li>Data Management Architecture : </li></ul><ul><ul><li>how data input, processing, storage and output functions will be divided across the information technology architecture . </li></ul></ul><ul><li>Management Architecture : </li></ul><ul><ul><li>the policies, standards, human resource systems, management structures, financial systems, etc. necessary to support e-government. </li></ul></ul><ul><li>To create a building, you need a sound underlying architecture for that building, based on an architect's plan.  The same is true for Security.   </li></ul>
    7. 7. Emerging Technologies -Competitive Environments & Integration Catering through ICE Technologies 1. IT 2. BT 3. CT 4. ET 5. NT 6. ST 1. Operational Integration 2. Professional Integration (HR) 3. Emotional/Cultural Integration ICE is the sole integrator & IT/Cyber Governance is Important <ul><li>Selection of Technologies </li></ul><ul><li>Affordable </li></ul><ul><li>Acceptable </li></ul><ul><li>Sustainable </li></ul><ul><li>Reliable </li></ul>
    8. 8. Creating Trust in an Enterprise <ul><li>Today's information explosion is creating challenges for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world. </li></ul><ul><li>What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company. </li></ul>
    9. 9. Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India
    10. 10. Transition: Insurance  Assurance & Assurance Layered Framework <ul><li>Insurance </li></ul><ul><li>Audit </li></ul><ul><ul><li>Pre, Concurrent, Post </li></ul></ul><ul><li>IT Audit </li></ul><ul><ul><li>Environmental </li></ul></ul><ul><ul><li>Operational </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Financial </li></ul></ul><ul><ul><li>Management </li></ul></ul><ul><ul><li>Impact </li></ul></ul><ul><li>Electronics Continuous Audit </li></ul><ul><li>Certification </li></ul><ul><li>Assurance </li></ul><ul><li>Management & Operational Assurance </li></ul><ul><li>(Risk & ROI) </li></ul><ul><li>Technical Assurance </li></ul><ul><li>(Availability, Serviceability & Maintainability) </li></ul><ul><li>Financial ASSURANCE </li></ul><ul><li>Revenue Assurance </li></ul><ul><li>(Leakage & Fraud) </li></ul><ul><li>Legal Compliance & Assurance (Governance) </li></ul>
    11. 11. Transition: Insurance  Assurance & Assurance Layered Framework <ul><li>Insurance </li></ul><ul><li>Audit </li></ul><ul><ul><li>Pre, Concurrent, Post </li></ul></ul><ul><li>IT Audit </li></ul><ul><ul><li>Environmental </li></ul></ul><ul><ul><li>Operational </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Financial </li></ul></ul><ul><ul><li>Management </li></ul></ul><ul><ul><li>Impact </li></ul></ul><ul><li>Electronics Continuous Audit </li></ul><ul><li>Certification </li></ul><ul><li>Assurance </li></ul><ul><li>Management & Operational Assurance </li></ul><ul><li>(Risk & ROI) </li></ul><ul><li>Technical Assurance </li></ul><ul><li>(Availability, Serviceability & Maintainability) </li></ul><ul><li>Revenue Assurance </li></ul><ul><li>(Leakage & Fraud) </li></ul><ul><li>Legal Compliance & Assurance (Governance) </li></ul>Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India
    12. 12. Why Assurance? Competitive Threats & Way Forward <ul><li>Internal Competition from Liberalization </li></ul><ul><li>World Competition from Globalization </li></ul><ul><li>Entrenched Competition Abroad </li></ul><ul><li>Asymmetry in Scale, Technology, Brands </li></ul><ul><li>Industry Shakeouts and Restructuring </li></ul><ul><li>Learn more about own Businesses. </li></ul><ul><li>Reach out to all Business & Function Heads. </li></ul><ul><li>Sharpen Internal Consultancy Competences. </li></ul><ul><li>Proactively Seize the Repertoire of MS & Partners </li></ul><ul><li>Foster two way flow of IS & Line Talent. </li></ul>
    13. 13. Key Areas of Assurance <ul><li>Organizational </li></ul><ul><ul><li>- Systems in place to identify & mitigate differing risk perceptions of </li></ul></ul><ul><ul><li>stakeholders to meet business needs </li></ul></ul><ul><li>Supplier </li></ul><ul><li>- Confidence that controls of third party suppliers adequate & meets </li></ul><ul><ul><li>organization’s benchmarks </li></ul></ul><ul><li>Business Partners </li></ul><ul><ul><li>- Confirmation that security arrangements with partners assess & mitigate </li></ul></ul><ul><ul><li>business risk </li></ul></ul><ul><li>Services & IT Systems </li></ul><ul><li>- Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s business </li></ul>
    14. 14. What and Why of Business Assurance <ul><li>Manufacturing: Developing & implementing policies & procedures to ensure operations are efficient, consistent, effective & compliant with law </li></ul><ul><li>Services : Process that establishes uninterrupted delivery of services to customer and protects interest & information </li></ul><ul><li>Project : Confirmation that business case viable and actual costs and time lines in line with plan costs & schedules </li></ul><ul><li>Objective : Delivers significant commercial value to the business while fully compliant with regulatory requirements </li></ul><ul><ul><ul><ul><ul><li>: To avoid Enron type scandals and comply with Sarbanes Oxley in US and Clause 49 in India </li></ul></ul></ul></ul></ul>
    15. 15. Assurance Stakeholders Stakeholders for business assurance Board of Directors Management Staff/Employees Organisation Customers Public Suppliers Enforcement & regulatory authorities Owner Creditors Shareholders Insurers Business partners
    16. 16. Benefits of Assurance <ul><li>Contributes to effectiveness & efficiency of business operations </li></ul><ul><li>Ensures reliability & continuity of information systems </li></ul><ul><li>Assists in compliance with laws & regulations </li></ul><ul><li>Assures that organizational risk exposure mitigated </li></ul><ul><li>Confirms that internal information accurate & reliable </li></ul><ul><li>Increases investor and lenders confidence </li></ul>
    17. 17.
    18. 18. Operational Integration Professional Integration (HR) ‏ Emotional/Cultural Integration ICT & Government Business & Services Integration Multi Technology coexistence and seamless integration Information Assurance Quality, Currency, Customization/Personalization ICE is the sole integrator IT Governance is Important
    19. 19. Managing Interdependencies Critical Issues <ul><li>Infrastructure characteristics (Organizational, operational, temporal, spatial) </li></ul><ul><li>Environment (economic, legal /regulatory, technical, social/political) </li></ul><ul><li>Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) </li></ul><ul><li>Type of failure (common cause, cascading, escalating) </li></ul><ul><li>Types of interdependencies </li></ul><ul><li>( Physical, cyber, logical, geographic) </li></ul><ul><li>State of operations </li></ul><ul><li>( normal, stressed /disrupted, repair/restoration ) </li></ul><ul><li>. </li></ul>
    20. 20. Towards Information Assurance <ul><li>Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity. </li></ul><ul><li>That means organizations should focus not only on risk avoidance but also on risk management, she said. &quot;You have to be able to evaluate risks and articulate them in business terms“ </li></ul><ul><li>--Jane Scott-Norris, CISO at the U.S. State Department </li></ul>
    21. 21. Up The Value Chain
    22. 22. Enabling to rapidly move up the Governance Evolution Staircase Strategy/Policy People Process Technology 3. Transaction Competition Confidentiality/privacy Fee for transaction E-authentication Self-services Skill set changes Portfolio mgmt. Sourcing Inc. business staff BPR Relationship mgmt. Online interfaces Channel mgmt. Legacy sys. links Security Information access 24x7 infrastructure Sourcing Funding stream allocations Agency identity “ Big Browser” Job structures Relocation/telecommuting Organization Performance accountability Multiple-programs skills Privacy reduces Integrated services Change value chain New processes/services Change relationships (G2G, G2B, G2C, G2E) ‏ New applications New data structures Time 2. Interaction Searchable Database Public response/ email Content mgmt. Increased support staff Governance Knowledge mgmt. E-mail best prac. Content mgmt. Metadata Data synch. Search engine E-mail 1. Presence Publish Existing Streamline processes Web site Markup Trigger 4. Transformation Cost/ Complexity Define policy and outsource execution Retain monitoring and control Outsource service delivery staff Outsource process execution staff Outsource customer facing processes Outsource backend processes Applications Infrastructure Value 5. Outsourcing Constituent Evolve PPP model
    23. 23. Why information security Governance is important <ul><li>  With security incidents and data breaches having a huge impact on corporations, security governance or oversight by the board and executive management, has assumed importance. </li></ul><ul><li>Security governance refers to the strategic direction given by the board and executive management  for managing   information security risks to achieve corporate objectives by reducing losses and liabilities arising from security incidents </li></ul>
    24. 24. Threat & Vulnerability Management <ul><li>Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure </li></ul><ul><li>Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards </li></ul><ul><li>Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication </li></ul><ul><li>Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration </li></ul><ul><li>You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements. </li></ul><ul><li>You need to protect both your own information assets and those you are custodian of, such as sensitive customer data. </li></ul><ul><li>You want a real-time, integrated snapshot of your security posture. </li></ul><ul><li>You want to correlate events from data emerging from multiple security touch points. </li></ul><ul><li>You need support from a comprehensive inventory of known threat exposures. </li></ul><ul><li>You need to reduce the cost of ownership of your threat and vulnerability management system </li></ul>
    25. 25. Risk Identification <ul><li>Assess current security capabilities, including threat management, vulnerability management, compliance management, reporting and intelligence analysis. </li></ul><ul><li>Define c </li></ul><ul><li>Identify technology requirements for bridging security gaps </li></ul><ul><li>Integrated Security Information Management </li></ul><ul><li>Develop processes to evaluate and prioritize security intelligence information received from external sources, allowing organizations to minimize risks before an attack </li></ul><ul><li>Implement processes that support the ongoing maintenance, evolution and administration of security standards and policies </li></ul><ul><li>Determine asset attributes, such as direct and indirect associations, sensitivity and asset criticality, to help organizations allocate resources strategically </li></ul><ul><li>Assist in aggregating security data from multiple sources in a central repository or &quot;dashboard&quot; for user-friendly presentation to managers and auditors </li></ul><ul><li>Help design and implement a comprehensive security reporting system that provides a periodic, holistic view of all IT risk and compliance systems and outputs </li></ul><ul><li>Assist in developing governance programs to enforce policies and accountability </li></ul>
    26. 26. 9 Rules of Risk Management <ul><li>There is no return without risk </li></ul><ul><ul><li>Rewards to go to those who take risks. </li></ul></ul><ul><li>Be Transparent </li></ul><ul><ul><li>Risk is measured, and managed by people, not mathematical models. </li></ul></ul><ul><li>Know what you Don’t know </li></ul><ul><ul><li>Question the assumptions you make </li></ul></ul><ul><li>Communicate </li></ul><ul><ul><li>Risk should be discussed openly </li></ul></ul><ul><li>Diversify </li></ul><ul><ul><li>Multiple risk will produce more consistent rewards </li></ul></ul><ul><li>Sow Discipline </li></ul><ul><ul><li>A consistent and rigorous approach will beat a constantly changing strategy </li></ul></ul><ul><li>Use common sense </li></ul><ul><ul><li>It is better to be approximately right, than to be precisely wrong. </li></ul></ul><ul><li>Return is only half the question </li></ul><ul><ul><li>Decisions to be made only by considering the risk and return of the possibilities . </li></ul></ul><ul><li>RiskMetrics Group </li></ul>
    27. 27. The Insider – Who are They? <ul><li>Who is an insider? </li></ul><ul><ul><li>Those who work for the target organization or those having relationships with the firm with some level of access </li></ul></ul><ul><ul><li>Employees, contractors, business partners, customers etc. </li></ul></ul><ul><li>CSI/FBI Survey key findings (2007) </li></ul><ul><ul><li>average annual losses $350,424 in the past year, up sharply from the $168,000 reported previous year </li></ul></ul><ul><ul><li>Insider attacks have now surpassed viruses as the most common cause of security incidents in the enterprise </li></ul></ul><ul><ul><li>63 percent of respondents said that losses due to insider-related events accounted for 20 percent of their losses </li></ul></ul><ul><ul><li>(prevalence of insider criminals may be overblown by vendors of insider threat tools!) </li></ul></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru
    28. 28. Solutions Based on Study Recommendations <ul><li>Prevention by </li></ul><ul><ul><li>Pre-hire screening of employees </li></ul></ul><ul><ul><li>Training and education </li></ul></ul><ul><li>Early detection and treat the symptoms </li></ul><ul><ul><li>Attack precursors exist, some non-cyber events </li></ul></ul><ul><li>Establish good audit procedures </li></ul><ul><li>Disable access at appropriate times </li></ul><ul><li>Develop Best practices for the prevention and detection </li></ul><ul><ul><li>Separation of duties and least privilege </li></ul></ul><ul><ul><li>Strict password and account management policies </li></ul></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru
    29. 29. General Solution Steps <ul><li>Collect data – notion of insider threat </li></ul><ul><li>Formulate a model </li></ul><ul><ul><li>Threat modeling technique – graph, empirical </li></ul></ul><ul><li>Determine which phase </li></ul><ul><ul><li>Prevention/Detection/Mitigation </li></ul></ul><ul><li>Determine application domain </li></ul><ul><ul><li>Commercial/Military </li></ul></ul><ul><li>Pick solution methodology </li></ul><ul><ul><li>Signature/Rule based, anomaly based </li></ul></ul><ul><ul><li>Pick the right machine learning algorithms </li></ul></ul><ul><li>Data acquisition for evaluation and benchmark </li></ul><ul><li>Take a small bite – good threat modeling is already a significance advance! </li></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru
    30. 30. Insider Threat Modeling <ul><li>Privilege escalation by impersonation </li></ul><ul><li>Priv. escalation by exploiting vulnerabilities </li></ul><ul><li>Own privilege abuse </li></ul><ul><li>Social engineering attacks </li></ul><ul><li>Colluding attacks </li></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru
    31. 31. Information-Centric Modeling <ul><li>University at Buffalo- CEISARE </li></ul><ul><ul><li>Developed the concept of a Capability Acquisition Graph for insider threat assessment </li></ul></ul><ul><ul><li>Part of a DARPA initiative </li></ul></ul><ul><ul><li>Built a tool called ICMAP (Information-Centric Modeler and Auditor Program) </li></ul></ul><ul><ul><li>Publications in ACSAC 2004, IEEE DSN 2005, JCO 2005, IEEE ICC 2006, IFIP 11.9 Digital Forensics Conference 2007 </li></ul></ul><ul><ul><li>CURRICULUM: Computing, mathematical, legal, managerial and informatics </li></ul></ul><ul><ul><li>Various CAEs (certified by NSA, DHS), USMA, Syracuse, Buffalo, Stony Brook, Polytechnic, Pace, RIT </li></ul></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru
    32. 32. <ul><li>How is a model instance generated? </li></ul><ul><ul><li>Define the scope of the threat </li></ul></ul><ul><ul><li>A step-by-step bottom up approach starting with potential targets </li></ul></ul><ul><li>Who constructs the model instance? </li></ul><ul><ul><li>A knowledgeable security analyst </li></ul></ul><ul><li>How are costs defined? </li></ul><ul><ul><li>Cryptographic access control mechanisms have well-defined costs </li></ul></ul><ul><ul><li>Use attack templates, vulnerability reports, attacker’s privilege and the resources that need to be protected </li></ul></ul><ul><ul><li>Low, Medium and High – relative cost assignment </li></ul></ul>24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru Practical Considerations
    33. 33. Calder- Moir IT Governance Framework 3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 2009
    34. 34. Measurement of IT Projects Value and Effectiveness <ul><li>IT Assessment </li></ul><ul><li>1.Validity or Relevance 2.Protectibility 3.Quantifiability 4.Informativeness </li></ul><ul><li>5.Generality </li></ul><ul><li>6.Transferability </li></ul><ul><li>7. Reliability to other parts of organization </li></ul><ul><li>Effectiveness </li></ul><ul><ul><li>Utility </li></ul></ul><ul><ul><li>Efficiency </li></ul></ul><ul><ul><li>Economy </li></ul></ul><ul><ul><li>Control </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Assessment of IT Functions </li></ul></ul><ul><ul><li>Strategy </li></ul></ul><ul><ul><li>Delivery </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Systems </li></ul></ul>
    35. 35. 5th December 2007 Cyber assurance for Financial services IT Services Objectives and Certification Framework 2(1)(zd)(d) 2(1)(zd)(b) 2(1)(zd)(a) 2(1)(zd)(c) Indian IT Act reference Reliability of information Compliance Availability Integrity Confidentiality Efficiency Effectiveness IT Act COBIT Control Theory Framework Attributes
    36. 36. Standards, Standards, Standards <ul><li>Security </li></ul><ul><li>Audit </li></ul><ul><li>Interoperability </li></ul><ul><li>Interface (systems/devises/comm.) </li></ul><ul><li>Architecture/Building Blocks/Reusable </li></ul><ul><li>HCI (Human Computer Interface) </li></ul><ul><li>Process </li></ul><ul><li>Environmental (Physical, Safety) </li></ul><ul><li>Data Interchange & mail messaging </li></ul><ul><li>Layout/Imprint </li></ul>
    37. 37. Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL Mission Business Objectives Business Risks Applicable Risks Internal Controls Review
    38. 38. Gouvernance & Assurance Maturity Model
    39. 39. <ul><li>“ To determine how much is too much , so that we can implement appropriate security measures to build adequate confidence and trust” </li></ul>“ To derive a powerful logic for implementing or not implementing a security measure” Security/Risk Assurance - Expectations
    40. 40. IT Security predictions 2010-2011 1. Pirated software * <ul><li>      Pirated software  will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware pre-installed. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community. </li></ul><ul><li>* IBM's X-Force research team </li></ul>Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India
    41. 41.   IT Security predictions 2010-11 2. social networks and ups the ante  <ul><li>Social engineering meets  social networks and ups the ante  for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites. </li></ul>Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India
    42. 42. IT Security predictions 2010-2011 3.0 Criminals take to the cloud <ul><li>Criminals take to the cloud.  We have already seen the emergence of “exploits as a service.” In 2010 we will see criminals take to cloud computing to increase their efficiency and effectiveness. </li></ul>Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India
    43. 43. IT Security predictions 2010 <ul><li>a rise in attacks on health care organizations will occur for similar reasons, </li></ul><ul><li>continued attacks on retailers big and small, tax authorities, </li></ul><ul><li>Educational/school systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place </li></ul>Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India
    44. 44. 3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 2009 Assurance in the PPP Environment
    45. 45. THANK YOU For Interaction: Prof. K. Subramanian [email_address] [email_address] [email_address] Tele:011-29533068;23219857 Let us Assure Good Cyber Governance & Business Assurance in Cyber Era
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×