Designing an Information Architecture to Support Cyber Security and Information Assurance


Published on

We discussed how you can use Concept Searching’s Smart Content Framework™ to design a solid Information Architecture which supports cyber security and information assurance in your organization. And we explored why this information architecture will help you to secure the weakest links and to proactively identify data exposures before they happen.

We hope this webinar gave you an insight into:
• How conceptClassifier can be used to develop a taxonomy of security terms and organizational defined descriptors that are aligned with your nomenclature
• Learn how to develop a detailed set of enterprise-specific requirements for security terms and descriptors
• Identify precautions your organization must take to protect sensitive information
• Improve risk management and reduce operating costs associated with cyber security attacks and data privacy exposures

The award winning technologies integrated with Concept Searching’s Smart Content Framework™ encompass the entire portfolio of unstructured information assets in on-premise, cloud, or hybrid environments.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Designing an Information Architecture to Support Cyber Security and Information Assurance

  1. 1. Designing an Information Architectureto Support Cyber Security andInformation AssuranceDon MillerVice President of SalesConcept Searchingdonm@conceptsearching.comDavid SteppSenior Principal - Cyber SecurityPPCdstepp@ppc.comTwitter @conceptsearch
  2. 2. Agenda• Introductions• PPC• Information Assurance (IA)• InfoSec• Cyber Crimes• Concept Searching• Unique Approach• Smart Content Framework™• Manual Approach = Failure• Metadata Drives Actionable Search• Metadata Drives Effective Collaboration• Demonstration
  3. 3. Expert SpeakersDavid Stepp – Senior Principal, Cyber Security at PPChas over 15 years’ experience in information assurance andinformation security. He has been assisting commercial andgovernment customers with solving complex securitychallenges, as well as establishing effective IA programs,and he is a CISSP, CISM and PMP.Don Miller – Vice President of Sales at Concept Searchinghas over 20 years’ experience in knowledge management.He is a frequent speaker on records management, andinformation architecture challenges and solutions, and hasbeen a guest speaker at Taxonomy Boot Camp, andnumerous SharePoint events about information organizationand records management.
  4. 4. • Company founded in 2002• Product launched in 2003• Focus on management of structured and unstructured information• Technology Platform• Delivered as a web service• Automatic concept identification, content tagging, auto-classification,taxonomy management• Only statistical vendor that can extract conceptual metadata• 2009, 2010, 2011, 2012, 2013 ‘100 Companies that Matter in KM’(KMWorld Magazine) and Trend Setting product of 2009, 2010, 2011, 2012• Authority to Operate enterprise wide US Air Force and enterprise wideNETCON US Army• Locations: US, UK, and South Africa• Client base: Fortune 500/1000 organizations• Managed Partner under Microsoft global ISV Program - ‘go to partner’for Microsoft for auto-classification and taxonomy management• Smart Content Framework for Information Governance comprising• Six Building Blocks for success• Product Suite: conceptSearch, conceptTaxonomyManager, conceptClassifier,conceptClassifier for SharePoint, conceptTaxonomyWorkflow, conceptContentTypeUpdater for SharePointThe Global Leader inAutomated Tagging Solutions
  5. 5. 5PPC Corporate Overview
  6. 6. PPC Representative Client Base
  7. 7. Defending Your Information Assets• What is Information Assurance?• How does InfoSec relate to IA• IA v. InfoSec• InfoSec Model• IA Architecture• Why IA is important• Cyber Crimes• Trends in Cyber Crimes• Risks• Threats• Vulnerabilities
  8. 8. What is Information Assurance (IA)?• Information assurance (IA)• Seeks to assure integrity,availability, authenticity,non-repudiation and confidentialityof information assets• Assuring information includesactively managing risks related tothe use, processing, storage, andtransmission of information• Information assurance employsthree elements: people, processand technology• Utilize technical and non-technicalelements
  9. 9. Elements of IAGovernanceBusiness ContinuityInformation SecurityPrivacyDisaster RecoveryRisk Management
  10. 10. IA Achieved through Application of Security ServicesSecurity ServicesConfidentialityIntegrityAvailabilityPossessionAuthenticityUtilityPrivacyNon-repudiationAuthorizedUseInformation Assurance
  11. 11. InfoSec• What is Information Security?• InfoSec is an element used toachieve IA• Refers to preventativemethods/technical controlsdesigned to protect informationfrom being stolen, compromisedor attacked in some other way• Focuses on potential threats,such as insider attacks, DoSattacks, malicious code, networkattacks, viruses, etc…
  12. 12. IA v. InfoSec• Similarities• Support Information Security Tenets• C – Confidentiality, I – Integrity, A – Availability• Seek to protect information assets and information systems• Involve people, processes, and technology• Utilize risk management• Employ management, operational and technical controls• Differences• Broad v. Narrow focus• IA more mature discipline• IA address all information assets, InfoSec focuses on electronicassets only• IA uses balanced mix of technical and non-technical solutions v.InfoSec technological solutions
  13. 13. InfoSec Security Model• InfoSec Model focuses on technical controls• Traditional Approach• Closed model• Reliance upon perimeter control• Protect, detect, react• Defense – in-depth• Firewalls are the perimeter• Least privilege
  14. 14. IA ArchitectureSource: Willett, Keith D. Information Assurance Architecture, 2008
  15. 15. Why IA is Important?• Information drives businesses and government• Enhances operational effectives, reduce enterprise costs• Improves regulatory compliance• Mitigates risk• Consequences/Impacts of failing to protect information assets are high• March 2012 – Global Payments report security breach, stock valueplummets 9%• April 2011 – Sony suffers massive breach of online video gamenetwork, exposing financial data for 77M users• Risk environment is complicated and ever expanding• Number of threats continue to grow, not only economic in nature, butpolitical as well
  16. 16. Increasing Availability of Information
  17. 17. The Nature of Threats• Natural• Earthquakes, floods, fire, hurricanes, tornadoes,rain/hail• Unintentional• Fire, water, building collapse, loss of utilityservice, equipment failure• Intentional Physical• Bombs, fires, water and theft• Intentional Non-Physical• Fraud, espionage, hacking, identity theft, malicious code, phishing,denial of service attacks
  18. 18. Recognizing the Threats Actors$ Information $HackersInsidersForeign GovtsVandalsTerroristsCompetitorsHacktavistSpammers
  19. 19. Understanding the Threat Actors• Why do they do it?• Financial gain• Challenge• Bragging rights• Activism• Political reasons• Intellectual property• Trade secrets• Insider knowledge• Competitive advantage• Technology use
  20. 20. Cyber Crimes• Information growth driving growth of cyber crime• Cyber crime is a growth Industry• Dept. of Justice – Criminal Division defines computer crime in twocategories:• Computer-related Crime• Intrusion or malicious hacking• Theft of Service• Denial of Service (DoS)• Computer-facilitated Crime• Espionage• Economic espionage• Fraud• Theft and embezzlement
  21. 21. Cyber Crime is EverywhereHitman ScamsFraudulent Auto SalesRansomwareExtortion/Intimidation ScamsGovt Impersonation
  22. 22. Cost of Cyber Crimes• 2012 Internet Crime Compliant Center• Total complaints – 289,874• Complaints reporting financial loss – 114,908• Total financial loss – $525,441,110• 2012 Norton Cyber Crime Report• 556,000,000 Victims• Cost of $110,000,000,000• 62% of data breaches go unnoticed for months
  23. 23. Trends in Cyber Crime• Malware (Malicious Software)• Hacking• Identity Theft• Targeted Phishing• Corporate and political espionage• Mobile Exploits• Hackavist (Anonymous)• Account takeover• Compromised Embedded Devices
  24. 24. Risk Management• Develop risk governance• Define risk environment• Determine organizational risk tolerance• Identify risk management framework• COBIT 5, ISO 27005 and 31000, NIST SP800-30• Define risk assessment methodology• Develop risk awareness, communication andreporting processes/procedures• Identify and describe risk• Define risk scenarios• Prioritize risk response
  25. 25. Understanding the Risk Environment
  26. 26. Risk Management LifecycleSource: Hibbard, Eric A. Hitachi Data Systems
  27. 27. Information Asset Classification• Before you can protect you must understand• Inventory information assets• Determine where information assets reside• Categorize Data• Financial• Health PII• Military• Trade Secrets etc.• Assess impact and analysis• Determine C-I-A impact Levels (H/M/L) for each data type• Utilize a High watermark approach• Define RTO and RPO• Assign Value ($)
  28. 28. Quantifying Risk• Determine likelihood of occurrence• Very High, High, Moderate, Low, Very Low• Determine where the impact will occur• Harm to operations• Harm to assets• Harm to individuals• Harm to other organizations• Harm to the nation• Assign overall risk score/value• Measure effectiveness – ROI
  29. 29. Mitigating Risk• Controls and Countermeasures• Controls – policies, procedures, practices and guidelines• Designed to provide reasonable assurance that undesired eventswill be prevented, detected and corrected• Control Types• Deterrent• Preventive• Corrective• Compensating• Detective• Countermeasures – a measure to counter, reduce, or mitigate athreat or vulnerability• Password cracking – use strong passwords• DoS – use an IDS to detect attacks• Unauthorized access – configure secure access permissions
  30. 30. Vulnerabilities• Threats/Threat actors - exploit vulnerabilities• Examples of vulnerabilities• Lack of governance• Poorly trained staff• Insufficient staff• Defective software• Improperly configured equipment• Inadequate compliance enforcement• Poor network design• Inadequate management• Untested technology• The web remains the most popular platform for cyber criminals• 2013 Top Web Vulnerabilities• Injection, Broken Authentication and Session Management, Cross-SiteScripting (XSS), Insecure Direct Object References, Security MisconfigurationSource: Open Web Application Security Project (OWASP)
  31. 31. Conclusion• Information assets critical to the enterprise• IA is about protecting all information assets• InfoSec supporting element of IA• Cyber crime is costly• Risk environment is complicated and diverse• Robust risk management critical part of effective IA program• Information assets must be identified, located and quantified• Threats are everywhere• Compromise is a reality and IA can lessen the impact
  32. 32. • Metadata driven application and enforcement of policies - conceptClassifier has beendeployed since 2010 to automatically generate metadata and use that metadata to apply and enforcepolicies. Many clients are using the platform to support their information governance strategy.• Proven, mature functionality out of the box - The platform has been deployed in numerous sitesand applications across the enterprise, including MOSS and SharePoint 2010, 2013, Solr, Stellent,Documentum, SQL, Oracle, File Shares, Exchange via SharePoint and across the enterprise.Smart Content Framework™Sum of parts is greater than whole
  33. 33. • Concept Searching’s unique statistical concept identification underpins all technologies• Multi-word suggestion is explicitly more valuable than single term suggestion algorithmsConcept Searching has a unique approach to ensure success• conceptClassifier will generate conceptual metadata byextracting multi-word terms that identify ‘triple heartbypass’ as a concept as opposed to single keywords• Metadata can be used by any search engine index or anyapplication/process that uses metadataConcept Searchingprovides AutomaticConcept Term ExtractionTripleBaseballThreeHeartOrganCenterBypassHighwayAvoidUnique Approach
  34. 34. A Manual Metadata Approach Will Fail 95%+ Of The TimeIssue Organizational ImpactInconsistent Less than 50% of content is correctly indexed, meta-tagged orefficiently searchable rendering it unusable to the organization. (IDC)Subjective Highly trained Information Specialists will agree on meta tags between33% - 50% of the time. (C. Cleverdon)Cumbersome - expensive Average cost of manually tagging one item runs from $4 - $7 perdocument and does not factor in the accuracy of the meta tags nor therepercussions from mis-tagged content. (Hoovers)Malicious compliance End users select first value in list.(Perspectives on Metadata, Sarah Courier)No perceived value for end user What’s in it for me? End user creates document, does not see valuefor organization nor risks associated with litigation and non-conformance to policies.What have you seen Metadata will continue to be a problem due to inconsistent humanbehavior.The answer to consistent metadata is an automated approach that can extract the meaningfrom content eliminating manual metadata generation yet still providing the ability to manageknowledge assets in alignment with the unique corporate knowledge infrastructure.Manual Approach Leads to Failure
  35. 35. • Provide structure to social media applications• Collaboration portals - internal, shared or external• Improves search outcomes by providing insight into content• Groups similar users, concepts, or content together• Automatically tags content based on concepts as well as supports folksonomies• Identifies people with expertise, knowledge or interest in a topicCan be embedded in the workflow of everyday activities• Gain insight through classification of blog entries, CIOs, knowledge portals to identifykey trends, common threads, and pulse of internal/external audiences• Aggregation and organization for any application that relies on documentation, such astraining, procedures, occupational safety, and HR• Manage and reduce the resource overhead to vet all entries through auto-classificationand concept extraction• Automatically identify any type of organizationally defined confidential or privacyinformation before it is posted, and route to an appropriate repository for disposition• Proactively identify bottlenecks and business process failures in real timeBenefits of conceptClassifier
  36. 36. Demonstration
  37. 37. Thank YouDon MillerVice President of SalesConcept Searchingdonm@conceptsearching.comDavid SteppSenior Principal - Cyber SecurityPPCdstepp@ppc.comTwitter @conceptsearch