Tom McCann - Sopra


Published on

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tom McCann - Sopra

  1. 1. Navigating a safe course to better information assurance Enabling Your Business TALENTED TOGETHER SOCITM Conference Oct 2009 1
  2. 2. Agenda 1 1 Introduction Introduction 2 2 Context Context 3 3 Government perspective Government perspective 4 4 Assistance available Assistance available 5 5 Point of view Point of view SOCITM Conference Oct 2009 2
  3. 3. Wrecks – A brief history of non-protection Government, healthcare and education sectors accounted for 60% of data breaches and 60% of identities exposed* *Symantec ISTR vol. XIII, Apr 2008 SOCITM Conference Oct 2009 33
  4. 4. Data Protection Reported DPA breaches 578 since Nov 07 Private sector 172 NHS 162 Local Government 69 Central Government 56 “No organisation handling information can guarantee it will never experience losses. But people have a right to expect that their public services achieve and maintain high standards in this important area. Those involved in delivering those public services must work harder and be more effective to meet and exceed those expectations.” (Sir Gus O’Donnell) SOCITM Conference Oct 2009 4
  5. 5. So what? SOCITM Conference Oct 2009 5
  6. 6. Personal data is now pervasive Network End Point Application DB/FS Storage Enterprise App Database Disk Storage WAN Web Servers Core App Database Disk Storage Backup Tape Custom App Replicated Disk Storage Other sites Database Backup & Partners Exchange Disk Storage Internet Server Backup Disk File Server Disk Storage Backup Portals SOCITM Conference Oct 2009 6
  7. 7. Major threat areas X High Risk Risk Medium Risk Low Risk Network End Point Application DB/FS Storage 3 8 4 Packets sniffed Privileged User Privileged User in transit Breach Breach DBA/FSA 1 5 Database Disk Storage Media lost or Enterprise App WAN Database/File stolen Server Hack Web Servers Core App Database Disk Storage 13 Trojans / Key 9 9 Loggers Application Application Backup Hack Hack Tape Replicated Disk Storage Custom App Other sites Database Backup & Partners 2 6 Disks stolen or (Semi) Trusted discarded media User Misuse exploited Exchange Disk Storage Internet Server Backup 10 Disk (Semi) 14 Trusted User 3 Unintentional Misuse Packets sniffed File Server Disk Storage Distribution in transit 12 Physical theft of media or lost Backup media exploited Internal Portals 7 Unintentional 15 11 Distribution Public Infrastructure Unintentional Access Hack Distribution SOCITM Conference Oct 2009 7
  8. 8. World Economic Forum 2009 SOCITM Conference Oct 2009 8
  9. 9. PCI DSS Requirements for Key Focus Areas for PCI Compliance Compliance Build & Maintain a Secure Network Protect Cardholder Data Information Security Network Maintain a Policies Security Vulnerability Management Program PCI PCI Remediation Encryption Remediation Implement Strong Strategy Strategy Logging Key Management Log Review Access Control Access Control Measures & Management Maintain an Information File Integrity Security Policy Monitoring Regularly Monitor Vulnerability & Test Networks Management SOCITM Conference Oct 2009 9
  10. 10. Real risk of compliance fatigue Increasing stakeholder Citizens Council Central LGA demands Gov’t + Expanding risk & Internal External Corporate Finance Legal Risk control oversight Audit Audit ServicesICO functions + Changing law, policy & directives Policy Privacy BCP InfoSec Op’ Risk = Business fatigue Lack of co-ordination Duplicate effort Risks falling between the cracks Competition for ICT attention SOCITM Conference Oct 2009 10
  11. 11. IA challenges facing Public Sector Government Agenda Shared services v’s privacy v’s efficiency Citizen centric – more online services Global development Citizen expectations Growing threats to UK Plc Expanding compliance requirements New CIA – Convenience / Interoperability / Affordability SOCITM Conference Oct 2009 11
  12. 12. Reviews Conducted Government Reviews Government Reviews Data Handling Report Data Handling Report HMRC – Poynter Review (Kieran Poynter PWC) June 2008 Security Policy F/Work Security Policy F/Work MOD – Burton Review (Sir Edmund Burton) June 2008 New Guidance New Guidance Data Handling Review IA Maturity Model IA Maturity Model (Sir Gus O’Donnell) June 2008 Looking Forward Looking Forward Data Sharing Review (Richard Thomas & Dr Mark Walport) July 2008 SOCITM Conference Oct 2009 12
  13. 13. Reefs and rocks – where things go wrong Cost reduction pressures Competing business priorities now v’s secure Failing to effectively risk manage 3rd parties outsourcing … development … hosting … testing New initiatives cloud computing … offshore … Mobility remote working … mobile computing (32GB of data on a mobile phone..) Compliance fatigue SOCITM Conference Oct 2009 13
  14. 14. Data Handling Report Government Reviews Government Reviews Data Handling Report Data Handling Report Key DHR Recommendations Core measures to protect personal data Security Policy F/Work Security Policy F/Work and other information across Government; New Guidance New Guidance A culture that properly values, protects and uses information; IA Maturity Model IA Maturity Model Stronger accountability mechanisms; and Looking Forward Looking Forward Stronger scrutiny of performance. SOCITM Conference Oct 2009 14
  15. 15. Charts to help you Government Reviews Government Reviews Replaced Manual of Protective Security (MPS) Data Handling Report Data Handling Report Collective responsibility to protect assets Must be able to share information Must have confidence in people Security Policy F/Work Security Policy F/Work Business resilience Mandated Protective Security Policy New Guidance New Guidance For HMG Departments and their Agencies Includes IA Policy 70 Mandatory requirements IA Maturity Model IA Maturity Model 4 Tiers Tiers 1-3 Not Protectively Marked Looking Forward Looking Forward Available to public & WIAC via CSIA Tier 4 – Restricted Available through accredited route New ICO Powers Monetary Penalties Assessment Notices (without permission) New EU e-privacy legislation will drive ‘Breach Notification’ requirement (2-3 years) SOCITM Conference Oct 2009 15
  16. 16. The High Level View Cyber Security Strategy of the UK National Information Assurance Strategy (NIAS) Security Policy Framework (SPF) Data Protection Act 70 Minimum Mandatory Measures Information Act Freedom of Information Assurance Maturity Model (IAMM) HMG IA Standard No. 6 Accreditation Data Handling Review Guidelines CoCo’s Other Legal / Compliance Requirements (PCI, RIPA, etc) SOCITM Conference Oct 2009 16
  17. 17. Some new lighthouses Government Reviews Government Reviews Local Authority Data Handling Guidelines Data Handling Report Data Handling Report Data Handling (NHS) Enhanced Governance Security Policy F/Work Govt level – IADG / IAOB Security Policy F/Work Locally – SIRO / Data ownership Improved professionalism - IISP New Guidance New Guidance IA Good Practice Guides Currently 15 Outsourcing Data Aggregation IA Maturity Model IA Maturity Model Laptops Remote working Secure bulk data transfers Looking Forward Looking Forward IA Standards Existing standards reviewed New risk assessment methodology New Standards (IAS 6) SOCITM Conference Oct 2009 17
  18. 18. Protecting personal data HMG IA Standard No.6 - Protecting Personal Data and Managing Information Risk Outlines minimum measures MUST be implemented by Departments & Agencies bound by the SPF. Key Principles Departments and delivery partners must protect personal data Sensitive personal information must be handled in accordance with specific measures Those with access to sensitive personal data must have appropriate training. SOCITM Conference Oct 2009 18
  19. 19. Government model for IA “The pressure is to deliver quicker, but the advantage will be on those who can build in assurance” (Sir E. Burton) EXTRINSIC INTRINSIC Evaluate Solutions Design in IA Determine Residual Risk OPERATIONAL IMPLEMENTATION Ongoing IA Management Build in IA SOCITM Conference Oct 2009 19
  20. 20. IA Maturity Model (IAMM) Government Reviews Government Reviews IAMM and IA Assessment Framework Published Data Handling Report Data Handling Report in Sept 2008 to assist Senior Information Risk Owners (SIROs) develop IA maturity within their Departments Security Policy F/Work Security Policy F/Work Will assist boards to report improvements in their IA and IRM in their annual reports to Cabinet New Guidance New Guidance Office. Incorporates SPF and DHR requirements and is IA Maturity Model IA Maturity Model aligned to ISO 27001. Looking Forward Looking Forward Departments will need to provide evidence of IA maturity in their Agencies, NDPBs and delivery partners 5 levels – Initial (1) to Optimised (5) Self-assessment and supported self-assessment SOCITM Conference Oct 2009 20
  21. 21. On the horizon Government Reviews Government Reviews NIAS Delivery Data Handling Report Data Handling Report Continued focus on DH (>ICO powers) Security Policy F/Work Security Policy F/Work Increased focus on Training Audit New Guidance Benchmarking New Guidance WIAC adoption DH guidelines IA Maturity Model IA Maturity Model SPF Governance measures Looking Forward Looking Forward Delivery Partner scrutiny Partner with Industry Initiative (PWI) Government Cyber security strategy PCI incorporated into policy SOCITM Conference Oct 2009 21
  22. 22. Safety equipment Education, education, education! Through-life assurance approach build security in & prove it Risk management advice CESG CLAS scheme Ensure 3rd parties know what they need to do & do it! flowdown of any CoCo requirements Technology solutions encryption, DLP, etc Proven ability to react in the event of an incident forensics readiness Ongoing technical assurance CESG CHECK scheme SOCITM Conference Oct 2009 22
  23. 23. Prove that your security is effective Penetration Test (s) (Annual /bi-annual/quarterly) (including CHECK) External Network Mapping Vulnerability Scanning Service of external network Monthly reports Workshops with Security Consultants SOCITM Conference Oct 2009 23
  24. 24. Point of view The recent global events around data loss has been cause for significant reflection as to the effectiveness of information risk management & compliance globally – expect more ‘regulation’ The pace of change in UK Government in particular has been unprecedented – the assurance elements have yet to mature Quality and clarity of guidance available in the UK is unlike any other country globally It is possible to implement an information centric security assurance strategy which reduces compliance cost and minimises duplication of effort Effective information assurance supported by sound governance is key to not repeating the mistakes of the past SOCITM Conference Oct 2009 24 24
  25. 25. A final word from the Information Commissioner … The blunt truth is that all organisations need to take the protection of customer data with the utmost seriousness. I have made it clear publicly on several occasions over the past year that organisations holding individuals’ data must in particular take steps to ensure that it is adequately protected from loss or theft. … Getting data protection wrong can bring commercial reputational, regulatory and legal penalties. Getting it right brings rewards in terms of customer trust and confidence. … Richard Thomas April 2008 SOCITM Conference Oct 2009 25
  26. 26. Questions …? SOCITM Conference Oct 2009 26