Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015

© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Security Risk Management:
How to mitigate risks and protect data
Security Managed Services
Security BU Director & Sales Director North
Italy
11/11/2015
Denis Cassinerio

2. Hitachi Systems CBT
4. Managed Security Services
Agenda
1
1. Hitachi Ltd. & Hitachi ITSG
3. Risk Management Scenario

1. Hitachi Ltd. & Hitachi ITSG

Power Systems
4%
Social Infrastructure &
Industrial Systems
15%
Electronics Systems &
Equipment
11%
Construction
Machinery
7%
High Functional
Materials &
Components
14%
Automotive Systems
9%
Smart Life &
Ecofriendly Systems
7%
Others (Logistics &
Other services)
11%
Financial Services
3%
Information &
Telecommunication
Systems
19%
1. Hitachi Ltd.
(as of end of Mar. 2015)
81.60
billion

1.2 Hitachi Systems Global
Italy
2014-INDIA
Hitachi
Systems
Micro Clinic
2013–SOUTHEASTASIA
Hitachi
Sunway
Information
Systems
2015-ITALY
Hitachi
Systems
CBT
2014-CHINA
Hitachi
Systems
(Guangzhou)
2012–NORTHAMERICA
Cumulus
Systems
2015-CANADA
Above
Security
1. Establish a base of operation in Italy
2. Contribution to the social
infrastructure business of Hitachi
3. Expand into greater Europe
STRATEGY

2. Hitachi Systems CBT – Italy

2.1 Vision & Mission
“Cloud, Service,
Application &
Technology
Integrator
“Transfer the
complexity and
start focusing on
your business only
Over the last 35 years we have been supporting
medium and large enterprises, both in the
private and public sector, by implementing and
improving their infrastructure, integrating them
with services and application solutions with high
technological content.
Assist organizations in their strategic path
to Business Transformation through
outsourcing of infrastructure, services
and applications
VISION
MISSION”
”

2.2 Business Areas
Data Center, Networking, Devices, Middleware
TECHNOLOGY
APPLICATIONS
MANAGED SERVICES
(2014: Revenues 31,1M€)
(2014: Revenues 22,3M€)
(2014: Revenues 3,7M€)
BUSINESSAREAS
Engineering Projects & Services

2.3 Highlights
All our customers
will be free to focus
on their core
business only
SOFTWARE
FACTORY
BolognaHEADQUARTER
Roma
BRANCHES
Milano
Venezia
Torino
Novara
DATA CENTERS
Roma
Milano
+300
TEAM
6
LOCATIONS
OVER
1.200
CERTIFICATIONS
OVER
100
PARTNERS
LONG EXPERIENCE
>35
YEARS
100%
SECURITY &
COMPLIANCE
57MIO €
REVENUE
+7% FY 2013
2
DATA
CENTER
365
24/7
SERVICES

3. Risk Management Scenario

ATTACK SURFACE

Vulnerability & Threats

DATA BREACH SNAPSHOT
12

CLUSIT Report 2015
13

3.1 Compliance changes
14

NORMATIVE : Regolamento Europeo
15
• La Commissione europea ha proposto una riforma globale della
normativa UE sulla protezione dei dati delle persone fisiche. 
• Il nuovo Regolamento ha lo scopo di fissare delle regole chiare e
uniformi
sulla privacy online e offline
• Una volta approvato dal Parlamento e dal Consiglio UE, varrà per
tutti i Paesi europei.
Principali novità del Regolamento
1. Obbligo di «Data Protection Impact Analysis» in caso di trattamenti
rischiosi
2. Obbligo di «Privacy by Design and Default » nella progettazione e
nell’architettura di Infrastrutture ICT e nelle Pratiche Commerciali
3. Obbligo di «Data Breach Notification» entro 24 ore dall’evento al Garante
Privacy
4. Obbligo per le aziende con più di 250 dipendenti e per gli enti pubblici di
nominare un «Data Protection Officer »
5. Diritto all'oblio, per cui ogni interessato potrà richiedere la rimozione di
propri dati personali.

SANZIONI Previste dal NUOVO Regolamento
Europeo
16

3.2 Risk Management Maturity
17

Crisis = Opportunity
18

The Opportunity : Skills Gap
19
DATA PROTECTION
DLGS. 196/2003 e s.m.i.
DLGS. 231/01 e s.m.i.
Legge 547/93 e s.m.i.
ISO/IEC 27001:2013
COBIT
ITIL
……
Virus
Worm
Trojan
Payloads
Man in te Middle
Brute Force
Authentication..
APT
SKILLS GAP
SECURITY RISK MANAGEMENT
Legal & Compliance Threats Vulnerabilities
CVE MS 2008-067
CVE 2014-62-71
ISO
NIST
OWASP
OSST
Vectors of Attack
Technical Impacts
Business Impacts

Information Security Risk Management Fundamentals
20
AVAILABILITY
INTEGRITY
CONFIDENTIALI
TY

© Hitachi Systems CBT S.p.A. 2015. All rights reserved. 21
VULNERABILI
TY
Processes
Systems
Network
Applications
Continuous check
Continuos
remediation
THREATS
New threats every 1.5
seconds
Variants
Exploit kits
Botnets
APT
Penalties
COUNTERMEASURES
Processes
Checks
AV
IPS
FW
APT
WAF
HIPS
APP CTRL…….
Consultancy
VALUATION
Data
Assets
ANALYSIS
Qualitative
Quantitative
Information Security Risk Management Fundamentals

Situational Awareness Security
22

4. Managed Security Services
23

Security Business Unit
24

EasyShield: Vision
VISION
EasyShield
Legal & Compliance
Architectural Design
Security Engineers
Security Analysts
Integrated Services
Manage the Security IT Complexity
Managed Security Services

COMPLIANCE
TECHNOLOGY
MANAGED SERVICES
CYBERSECURITY
EasyShield: Keywords and Benefits
Keywords & Benefits
Reduction & Cost
Control
Security Posture
Improvement
Ad hoc Installation
& Configuration
Up to date
Certification

EasyShield: Security Risk Management
Identify &
Analiyze Exposures
Monitor
Results
Examine Risk
Management
Select Risk
ManagementImplement
Techniques
Identify assets and their value to the
organization.
Identify vulnerabilities and threats
Quantify the probability and business
impact of these potential threats.
Provide an economic balance
between the impact of the threat
and the cost of the
countermeasure”.
Shon Harris, CISSP
«Security Partner»
“
“

4. EasyShield Offering Structure

Security BU Offering
SKILLS
EXTENDED PORTFOLIO
SRM CYCLE
COST EFFECTIVE
Compliance
Professional
Services
Technology
Cyber Security
Managed Security
Services

CYBERSECURITYTECHNOLOGY
EasyShield® represents a 360°security approach, from Compliance to Cloud
services, through the best technology solutions via Managed Services
3.4 Offering: EasyShield®
• APT Assessment
• Multi Protocol Network Detection
• Spear Phishing Mitigation
• Anti Bot Net
• Sandboxing and behavioral monitor
• Forensic Analysis
• Intrusion Detection / Prevention
• Ethical Hacking
• Penetration Test
• Web Application Protection
• Zero Day Protection
• Security & Compliance Risk
Assessment
• Risk Management, Governance &
Certification
• Business Continuity & Disaster
Recovery
• Regulatory Compliance Management
• Business Process Reengineering
• Security Awareness Training
• Security & Compliance Audit
• Content security
• Datacenter & Cloud Security
• Network Security
• Security Management
• Vulnerability Management
Compliance Management
Penetration Test
Privileged Account Management
Web Application Protection
Vulnerability Assessment
Virtual Patching
Patch Management
Professional Services
Penetration Test
Vulnerabiility,Mobile
Web Application , Wireless
PCI DSS (/ Scan & compliance)
Managed Security Services
Anti Malware policy Management
Mobile Security
Firewall Configuration and policies
IPS / IDS Management
Wireless Assessm
COMPLIANCE
Compliance
Cyber
Security
Managed
Services
Technology
MANAGEDSERVICES
Professional
Services

4.2 Global SOC

Global SOC: Security Strategy
WAF: Web Application Firewall; NGFW: Next Generation Fire Wall ; SIEM: Security Incident and Event Management
Cyber Security
(Anti-Phishing, Anti-
Malware)
Proactive Defense
with Real-time
Analytics and Global
Intelligence Service
Global SOC
Protection of Critical
Infrastructure
(Social Infrastructure)
SHIELD
SecurityOperationCenter

ABOVE SECURITY Integration
33

ARKANGEL Platform
34

Conclusion
35
It is better to look ahead and
prepare than to look back and
regret.
Jackie Joyner Kersee, athlete and olympic medails
Thanks!!

Security BU Offering: Main Technologies
APT IOC DETECTION IAM / PAM
CONTENT SECURITY NETWORK SECURITY SECURITY MANAGEMENT

Contacts
HEADQUARTER
ROME
Via Francesco P. Da Cherso, 30 - 00143
+39 06 519931
www.hitachi-systems-cbt.com
marketing@hitachi-systems-cbt.com
info@hitachi-systems-cbt.com
infosecurity@hitachi-systems-cbt.com
webrainbow@hitachi-systems-cbt.com
easycloud@hitachi-systems-cbt.com
MAIN SITES
MILAN
Via Dei Gracchi, 7 – 20146
+39 02 489571
VENICE - QUARTO D’ALTINO
Via L. Mazzon, 9 – 30020
+39 0422 19702
TURIN
Via Gian Domenico Cassini, 39 - 10129
+39 011 5613567
NOVARA
Via Biandrate, 24 - 28100
+39 0321 670311
BOLOGNA - CASALECCHIO DI RENO
Via Ettore Cristoni, 84 - 40033
+39 051 8550501
TOLL FREE
800 228 228
800 899 228 (WebRainbow)

ICT Festival 2015 - Milano
11/11/2015
Denis Cassinerio
END
Security Business Unit & Sales Director
- DirectSecurity
38
Security Risk Management: How mitigate and handle the
data through the Managed Services

CYBERCRIME TRICHOTOMY
40

References: Case Studies Security
SHIELD: The Brand Name for Hitachi Systems Security Solution
HDI Assicurazioni - Log Management
Consorzio ATR – Adeguamento
Privacy
IntesaBCI – Processi di Gestione della
Sicurezza
IUAV - Privacy Risk Assessement RM ASL B - AV IPS IDS
Poste Italiane – Risk Management AgID – Security Audit Telecom – Politiche di Log Retention
G.Matica – Certificazione integrata
ISO 27001 - 9001
LND – Security & Privacy Risk
Assessement
RFI – Corso Privacy
FIP – Data Loss Prevent
Realizzazione e certificazione del Sistema di
Gestione Integrato Qualità e Sicurezza delle
Informazioni aziendali,
Installazione, configurazione e gestione
sistema di tracciatura dei log di accesso degli
Amministratori di Sistema a norma privacy
Progettazione ed erogazione di due moduli
didattici sui temi della sicurezza informaticae
della protezione dei dati;. Formazione dei
formatori.
Realizzazione di una attività Assessment di
sicurezza rispetto alla normativa sulla privacy
ed ai Provvedimenti del Garante.
Disegno dei processi di Gestione della
Sicurezza ISO 27001 e valutazione degli
impatti organizzativi sullaBanca.
Assessment di Sicurezza. Elaborazione
sistema documentale privacy.Integrazione dei
contratti. Erogazione dellaformazione.
Installazione e configurazione di una
piattaforma di protezione degli ambienti virtuali
da violazione dei dati einterruzioni dell’attività,
Verifica dello stato di conformità del modello
organizzativo, gestionale e tecnologico
adottato dall’Ateneorispetto alle misure di
sicurezza privacy.
Definizione del processo di Risk
Management ISO 31000 e della
metodologia di Risk Assessment secondo
ISO 27005.
Installazione e configurazione di un sistema di
protezione dei dati su PC e Mobile a sostegno
della conformità e prevenzione della perdita di
dati.
Definizione delle politiche di sicurezza per la
raccolta, la conservazione e l’utilizzo dei log a
norma ai fini del monitoraggio dell’utilizzo dei
sistemi informatici.
Audit di sicurezza ISO/IEC 27001,
Dlgs.196/2003 e Dlgs 231/2001 condotto sulla
RIPA (Rete Internazionale della Pubblica
Amministrazione).

1.3 Hitachi ITSG & HISYS Organization
Hitachi Data Systems Corporation
Hitachi Consulting Corporation
Hitachi Solutions Ltd.
“Products and System Development”
“System Solution & Services”
“Platforms (Storage Systems, Server, Platform
Software)”
Information &
Telecommunication Systems
Group (ITSG)
Research & Development Group
Healthcare Group
Power & Infrastructure Systems
Group
“IT Consulting”
Hitachi Systems Ltd.
Cumulus Systems
Hitachi Sunway Information Systems
Hitachi Systems Micro Clinic
Hitachi Systems (Guangzhou)
Hitachi Systems CBT
HITACHI Ltd.
“System Solutions and Services”
Above Security

1.2 History of Hitachi ITSG
Establishment
of Totsuka
factory
（produced
telephones &
switchboards
）
1937
194
9
Automated
switchboard
1959
Electric
computer
1959 Train seat
reservation
system
1965
Mainframe
1969
Online
Banking
System
198
0
Beijing
meteorological central
system for Chinese
Central
Meteorological
Agency
198
1
Digital
switch
board
198
2
Super
computer
198
5
Work Station
1993
Integrated
system
management
middleware
199
4
Outsourcing
solution
199
5
RAID
disk
Array
1997
EDI system
2003
Finger vein
authentication
system
200
4
Blade
Server
200
7
Hitachi
virtualization
technology
“Virtage”
2009
Hitachi
cloud
solution／
Environment
-conscious
data center
2012
Big data related
services
2013
Smart
information
related products
and services
“intelligent
Operations”
2014
IoT
(Internet of
Things),
M2M
(Machine to
Machine)
TODAY1910

Security Risk Management
45
ERRORS/ OMISSIONS
USERS NOT
AUTHORIZED
VANDALISM
TAMPERING PHYSICAL
CHANGE OR COPY OF DATA
UNAUTHORIZED
SOFTWARE
EXECUTION
NATURAL
EVENTS
INTRODUCTION OF
ILLEGAL SW
THEFTS
ORGANIZATION
ARIAL
BUSINESS -
OPERATIONS
CONTINUITY
LOGICAL ACCESS
PHYSICAL ACCESS
DISTRIBUTED
ARCHITECTURE
DATA
DOCUMENTATIONS
APPLICATIONS
SYSTEMS

Misure Minime - Misure Idonee
46
Punto di ottimo
economico
Costo complessivo
Costo della sicurezza
Livello di sicurezza
Costo
Costo di
Esposizione
COST
TOTAL COST
Security cost
Cost exposure
Security Level

KEYSTRENGTHS
Strategic transformation of business and organizational processes with
high experience in Outsourcing and Cloud Computing
Manage the customer’s technological complexities, leaving them free to
focus exclusively on their core business
More than 1,200 hardware and software technology certifications to
design tailor-made solutions also in Private and Public Cloud
infrastructure, already available in our Data Centers
CUSTOMISED SOLUTIONS
TIME AND COST SAVINGS
COMPLEXITY TRANSFER
BUSINESS TRANSFORMATION
2.4 How do we do it
Speed of delivery and “Pay-per-use” logic of EasyCloud®, EasyWare®
and WebRainbow® and EasySHIELD ® Solutions to generate economic
efficiency switching from investments to fee

PROVVEDIMENTI – 28/10/2015
49
…TUTTO CIÒ PREMESSO IL GARANTE
1) dispone la caducazione dell'autorizzazione adottata dal Garante in
data 10 ottobre 2001 con deliberazione n. 36 e per l'effetto vieta, ai
sensi degli artt. 154, comma 1, lett. d) e 45 del Codice, ai soggetti
esportatori di trasferire, sulla base di tale delibera e dei
presupposti indicati nella medesima, i dati personali dal
territorio dello Stato verso gli Stati Uniti d'America;
2) si riserva, ai sensi dell'art. 154, comma 1, lettere da a) a d) del
Codice, di svolgere in qualsiasi momento i necessari controlli
sulla liceità e correttezza del trasferimento dei dati e, comunque, su
ogni operazione di trattamento ad essi inerente, nonché di
adottare, se necessario, i provvedimenti previsti dal Codice;
3) dispone la trasmissione del presente provvedimento all'Ufficio
pubblicazione leggi e decreti del Ministero della giustizia per la sua
pubblicazione nella Gazzetta Ufficiale della Repubblica Italiana.
Trasferimento dati personali verso gli USA: caducazione
provvedimento del Garante del 10.10.2001 di riconoscimento
dell'accordo sul c.d. "Safe Harbor" - 22 ottobre 2015

Corporate Data at Risk
50
Network Credentials
Intellectual Property
Calls
Privileged Communication
Employee Location

Superior service empowered by combining the strength
of our people and information technology.

Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015

Similar to Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015 (20)

More from festival ICT 2016

More from festival ICT 2016 (20)

Recently uploaded

Recently uploaded (20)

Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015