Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Infocon Bangladesh 2016

525 views

Published on

Presentation as presented during the seminar on 16-04-2016

Published in: Services

Infocon Bangladesh 2016

  1. 1. www.primeinfoserv.com | email : info@primeinfoserv.com | Contact : +91 98300 17040 Managed Service | Consulting | System Integration | Skill Development | Applications
  2. 2. PRIME INFOSERV LLP ▪ Prime Infoserv LLP is an IT-services company offering comprehensive services to businesses across a broad range of platforms and technologies. ▪ With Prime, organizations get more than just an outsourcing partner. We hold strategic capabilities to compete better and deliver more for the customers. By improving reliability, speed and agility, we enable our customers to achieve sustainable differential advantage over their competitors. Our engagement models are flexible, scalable, secure and custom defined, based on specific individual needs of our customers
  3. 3. PRIME SERVICE PORTFOLIO Managed Service Consulting Applications System Integration Skill Development
  4. 4. WHAT IS INFOCON www.infoconglobal.org
  5. 5. THE NEXT TWO HOURS BANGLADESH
  6. 6. OVERVIEW ▪ DO WE NEED TO TAKE INFORMATION SECURITY CHALLENGES SERIOUSLY ▪ WHAT WE SHOULD BE DOING AS AN ORGANIZTION TO ADDRESS THE MULTIPLE CHALLENGES. ▪ HOW WE CAN HELP YOU IN YOUR JOURNEY
  7. 7. DO WE NEED TO TAKE INFORMATION SECURITY CHALLENGES SERIOUSLY ?
  8. 8. www.primeinfoserv.com | info@primeinfoserv.com https://www.theguardian.com/technology/2015/oct /13/nca-in-safety-warning-after-millions-stolen- from-uk-bank-accounts
  9. 9. www.primeinfoserv.com | info@primeinfoserv.com
  10. 10. www.primeinfoserv.com | info@primeinfoserv.com http://www.bloomberg.com/news/videos/b/da235614-3740-4f68-8176-c1a640fc73a1
  11. 11. www.primeinfoserv.com | info@primeinfoserv.comhttp://www.cnbc.com/2016/01/29/hsbc-cyber-attack-brings-internet-banking-down.html
  12. 12. Q: IN TODAY’S MARKET, WHAT CAN: •Give your company a competitive advantage? •Improve your reputation in the eyes of your customer? •Demonstrate compliance to international and federal privacy laws? •Improve system uptime and employee productivity? •Ensure viable eCommerce? ▪ Answer: Information Security.
  13. 13. www.primeinfoserv.com | info@primeinfoserv.com Limitations of Current information security systems ENTERPRISE CUSTOMERS VENDORS What happens if the employee with critical information with him leaves organization and joins the competitors? Competitors ENTERPRISE Employees take laptops out, what happens if the laptop is stolen? What happens if the email gets accidentally marked to a vendor ? Firewalls VPN Network
  14. 14. BIG DATA = BIG PROBLEMS
  15. 15. SKILLS GAP BECOMES A CHASM
  16. 16. WHAT’S THE PROBLEM? ▪ Your security people have to protect against thousands of security problems. ▪ Hackers only need one thing to be missed. ▪ But with appropriate attention given to security, companies can be reasonably well protected.
  17. 17. “All it takes is just one weak link in the chain for an attacker to gain a foothold into your network”
  18. 18. 19 WHAT IS NEEDED? Management concerns • Market reputation • Business continuity • Disaster recovery • Business loss • Loss of confidential data • Loss of customer confidence • Legal liability • Cost of security Security Measures/Controls • Technical • Procedural • Physical • Logical • Personnel • Management
  19. 19. www.primeinfoserv.com | info@primeinfoserv.com CALL TO ACTION Poor information security outcomes are commonly the result of poor management and not poor technical controls. The 27000 series of ISMS Standards tackle the information problems we face from the management perspective. - It is not easy, but it is best practice and it works
  20. 20. THE GOLDEN RULE IN INFORMATION SECURITY ! Business Needs First, Technology Needs Last.
  21. 21. (No More of This) THE FIRST STEP -START BY ACKNOWLEDGING THE PROBLEM…
  22. 22. MANAGING INFORMATION SECURITY - RINGS OF PROTECTION
  23. 23. EFFECTIVE MANAGEMENT SYSTEMS ▪ Effective management systems include: ▪ Clear delineation of roles and responsibilities ▪ Written policies and procedures ▪ Training ▪ Internal controls ▪ Effective oversight ▪ Information sharing ▪ Systems must provide reliable and current information on effectiveness and efficiency of the process .
  24. 24. SECURITY RISK MANAGEMENT PRINCIPLES •Information Security is a business problem, not just an IT problem •Information Security risks need to be properly managed just like any other business risk •Lifecycle management is essential – there are always new threats and new vulnerabilities to manage (and new systems , new people new technologies, etc., etc.)
  25. 25. Information Security WHERE DO I APPLY INFORMATION SECURITY Process Layer Technology Layer People Layer Facilities Layer Strategy Layer Data/Appl. Layer Information Security  Is your IS strategy complete? Does it address key issue?  Privacy rights must be balanced with security exposures.  Ensure that your security processes function and produce intended results.  Sensitive and critical data must be available, managed, and utilized in a secure fashion.  IT is the foundation for data management and process execution maximize uptime and security.  The best strategies and processes will be undermined if availability and security of physical assets is not ensured. Way Ahead ItAppliesatAllLayers
  26. 26. SECURITY RISK MANAGEMENT: EDUCATION • One of the largest security risks in your enterprise is untrained employees – this especially includes upper management • Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk? • Are users aware of their roles and responsibilities as they relate to information security? • Are users aware of security policies and procedures? • Do users know who to call when there are security problems?
  27. 27. WHAT WE SHOULD BE DOING AS AN ORGANIZTION TO ADDRESS THE MULTIPLE CHALLENGES.
  28. 28. GOVERNANCE RISK AND COMPLIANCE
  29. 29. INFORMATION SECURITY & IT GOVERNANCE
  30. 30. www.primeinfoserv.com | info@primeinfoserv.com Existing Problems  Organizations are often working at the tactical level without a strategic framework  Examples:  Security tools  Incident response  Lack of regular feedback to executive management  Examples:  Ad hoc testing occurs without a pre-defined structure  Few requirements for action plans to provide solutions
  31. 31. www.primeinfoserv.com | info@primeinfoserv.com Make Security Strategic Stove-pipe management leads to gaps Department Department Department Department G A P G A P G A P
  32. 32. www.primeinfoserv.com | info@primeinfoserv.com Information Security & IT Governance  What is information security governance?  Leadership  Framework established to ensure that all the security elements put in place to protect your data environment work efficiently, accomplish what is intended, and do so cost effectively  Processes to carry out what is intended by the leadership‘  Why is it important?  Provides a framework for secure business operations in an interconnected world  Ensures the organization ’s security resources are well spent  Gains international respect
  33. 33. www.primeinfoserv.com | info@primeinfoserv.com Department Department Department Department A Holistic Approach to Governance Security Risk Management
  34. 34. www.primeinfoserv.com | info@primeinfoserv.com Information Security & IT Governance  What does it need to include?  Alignment with the information security strategy of the organization  Management of risks  Efficient and effective management  Verification of results  What benefits can be gained from a security governance program?  International recognition  Fewer breaches to deal with/increased efficiency  More effective use of resources
  35. 35. www.primeinfoserv.com | info@primeinfoserv.com Organizational Governance Governance Model Security Governance IT Governance Financial Governance Policies & Procedures Verification Reporting
  36. 36. www.primeinfoserv.com | info@primeinfoserv.com Tiered Security Process CIO CISO Business Processes Systems and Infrastructure Risks Audit Results Vulnerability Assessments Continuous Monitoring Page 12 Security Awareness Policies Guidelines Standards Drive the Program Feedback Security Management
  37. 37. www.primeinfoserv.com | info@primeinfoserv.com Best Practices Security Governance Approve Define Interpret Implement Operations Operational Governance Enterprise Policy and Standards Executive Leadership – Executive Mgmt/ CIO CISO Line of Business Human Resources Line of Business Datacenter
  38. 38. www.primeinfoserv.com | info@primeinfoserv.com Governance Implementation The Role of Executive Management - Strategic  Commit To Holistic Security Excellence  Set a common vision  Establish principles to guide the program  Commit To a Program  Create the security program plan  Apply the necessary resources  Manage Change  Drive transformation through organization  Measure Success  Internal testing and measurement  Audit improvement
  39. 39. IT GOVERNANCE ▪ IT Governance is an integral part of the corporate governance involves leadership support, organizational structure and processes to ensure that a bank’s IT sustains and extends business strategies and objectives. ▪ Effective IT Governance is the responsibility of the Board of Directors and Executive Management.
  40. 40. WHY IT GOVERNANCE? – IT is critical in supporting and enabling bank’s business goals – IT is strategic to business growth and innovation – Due diligence is increasingly important due to IT implications of mergers and acquisitions – Risks of failure have wider reputational impact
  41. 41. ROLES & RESPONSIBILITIES SNo. Roles & Responsibilities Responsibility Description (i) Board of Directors/ IT Strategy Committee Approving IT strategy and policy documents, Ensuring that the IT organizational structure complements the business model and its direction etc. (ii) Risk Management Committee Promoting an enterprise risk management competence throughout the bank, including facilitating development of IT-related enterprise risk management expertise (iii) Executive Management Level Among executives, the responsibility of Senior executive in charge of IT operations/Chief Information officer (CIO) is to ensure implementation from policy to operational level involving IT strategy, value delivery, risk management, IT resource and performance management. (iv) IT Steering Committee Its role is to assist the Executive Management in implementing IT strategy that has been approved by the Board. An IT Steering Committee needs to be created with representatives from the IT, HR, legal and business sectors.
  42. 42. POLICIES & PROCEDURES ▪ The bank needs to have IT-related strategy and policies ▪ IT strategy and policy needs to be approved by the Board ▪ Detailed operational procedures may be formulated in relevant areas including for data center operations ▪ A bank needs to follow a structured approach for the long- range planning process considering multiple factors ▪ There needs to be an annual review of IT strategy and policies taking into account the changes to the organization’s business plans and IT environment
  43. 43. POLICIES & PROCEDURES ▪ Banks need to establish and maintain an enterprise architecture framework or enterprise information model to enable applications development and decision-supporting activities, consistent with IT strategy. ▪ There is also a need to maintain an “enterprise data dictionary” that incorporates the organization’s data syntax rules. ▪ Banks need to establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g. public, confidential, or top secret) of enterprise data. ▪ There is a need for a CIO in bank. He has to be the key business player and a part of the executive decision-making function. His key role would be to be the owner of IT functions: enabling business and technology alignment. ▪ Bank-wide risk management policy or operational risk management policy needs to be incorporate IT-related risks also. The Risk Management Committee periodically reviews and updates the same (at least annually).
  44. 44. INFORMATION SECURITY
  45. 45. SNo. Roles & Responsibilities Responsibility Description (i) Boards of Directors/Senior Management The Board of Directors is ultimately responsible for information security. Senior Management is responsible for understanding risks to the bank to ensure that they are adequately addressed from a governance perspective. (ii) Information Security Team/Function Banks should form a separate information security function/group to focus exclusively on information security management. (iii) Information Security Committee Includes business heads from different units and are responsible for enforcing companywide policies & procedures. (iv) Chief Information Security Officer (CISO) A sufficiently senior level official of the rank of GM/DGM/AGM needs to be designated as the Chief Information Security Officer (CISO) responsible for articulating and enforcing the policies that a bank uses to protect its information assets. The CISO needs to report directly to the Head of the Risk Management function and should not have a direct reporting relationship with the CIO.
  46. 46. IS AUDIT
  47. 47. R&R S No. Roles & Responsibilities Responsibility description 1 Board of Directors and Senior Management To meet the responsibility to provide an independent audit function with sufficient resources to ensure adequate IT coverage, the board of directors or its audit committee should provide an internal audit function which is capable of evaluating IT controls adequately. 2 Audit Committee of the Board The Audit Committee should devote appropriate and sufficient time to IS audit findings identified during IS Audits and members of the Audit Committee would need to review critical issues highlighted and provide appropriate guidance to the bank’s management. 3 Internal Audit/Information System Audit function Banks should have a separate IS Audit function within the Internal Audit department led by an IS Audit Head, assuming responsibility and accountability of the IS audit function, reporting to the Chief Audit Executive (CAE) or Head of Internal Audit.
  48. 48. IS AUDIT S No. Component Description (i) IS Audit Because the IS Audit is an integral part of the Internal Auditors, auditors will also be required to be independent, competent and exercise due professional care. (ii) Outsourcing relating to IS Audit Risk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically in light of known and expected changes, as part of the strategic planning or review process. 2 Audit Charter, Audit Policy to include IS Audit An Audit Charter / Audit Policy is a document which guides and directs the activities of the Internal Audit function. IS Audit, being an integral part of the Internal Audit function, should also be governed by the same Audit Charter / Audit Policy. The document should be approved by the Board of Directors. IS Audit policy/charter should be subjected to an annual review to ensure its continued relevance and effectiveness. 3 Planning an IS Audit Banks need to carry out IS Audit planning using the Risk Based Audit Approach. The approach involves aspects like IT risk assessment methodology, defining the IS Audit Universe, scoping and planning the audit, execution and follow up activities. 4 Executing IS Audit During audit, auditors should obtain evidences, perform test procedures, appropriately document findings, and conclude a report. 6 Reporting and Follow up This phase involves reporting audit findings to the CAE and Audit Committee. Before reporting the findings, it is imperative that IS Auditors prepare an audit summary memorandum providing overview of the entire audit processing from planning to audit findings. 7 Quality Review It is to assess audit quality by reviewing documentation, ensuring appropriate supervision of IS Audit members and assessing whether IS Audit members have taken due care while performing their duties.
  49. 49. BUSINESS CONTINUITY PLANNING
  50. 50. R&R SNo. Roles & Responsibilities Responsibility description (a) Board of Directors and Senior Management Indian banks follow the RBI guideline of reporting all frauds above 1 crore to their respective Audit Committee of the Board. 1.1. BCP Head or Business Continuity Coordinator A senior official needs to be designated as the Head of BCP activity or function 1.2. BCP Committee or Crisis Management Team Present in each department to implement BCP department wise. 1.3 BCP Teams There needs to be adequate teams for various aspects of BCP at central office, as well as individual controlling offices or at a branch level, as required.
  51. 51. SNo Component Description 2.1 BCP Methodology Banks should consider various BCP methodologies and standards, like BS 25999, as inputs for their BCP framework. 2.3 Key Factors to be considered for BCP Design Following factors should be considered while designing the BCP: • Probability of unplanned events, including natural or man-made disasters, earthquakes, fire, hurricanes or bio- chemical disaster • Security threats • Increasing infrastructure and application interdependencies • Regulatory and compliance requirements, which are growing increasingly complex • Failure of key third party arrangements • Globalization and the challenges of operating in multiple countries. 3 Testing a BCP Banks must regularly test BCP to ensure that they are up to date and effective: Testing of BCP should include all aspects and constituents of a bank i.e. people, processes and resources (including technology). Banks should consider having unplanned BCP drill, Banks should involve their Internal Auditors (including IS Auditors) to audit the effectiveness of BCP etc. Various other techniques shall be used for testing the effectiveness of BCP. 4 Maintenance and Re-assessment of Plans BCPs should be maintained by annual reviews and updates to ensure their continued effectiveness. Changes should follow the bank’s formal change management process in place for its policy or procedure documents. A copy of the BCP, approved by the Board, should be forwarded for perusal to the RBI on an annual basis. 5 Procedural aspects of BCP Banks should also consider the need to put in place necessary backup sites for their critical payment systems which interact with the systems at the Data centers of the Reserve Bank. 6 Infrastructural aspects of BCP Banks should consider paying special attention to availability of basic amenities such as electricity, water and first-aid box in all offices. 7 Human Aspect of BCP Banks must consider training more than one individual staff for specific critical jobs, They must consider cross-training employees for critical functions and document-operating procedures. 8 Technology aspects of BCP Applications and services in banking system which are highly mission critical in nature and therefore requires high availability, and fault tolerance to be considered while designing and implementing the solution.
  52. 52. GOVERNANCE RISK AND COMPLIANCE
  53. 53. OFFER CLOSES AT THE END OF THIS MONTH!! •This BMW car is available for $ 20,000/- only!
  54. 54. JUST ONE CAVEAT 22/04/2016 BRiSK_April20 15 •The positions of the brake and the accelerator are interchanged; the brake is on the right and the accelerator on the left.
  55. 55. WHAT WOULD YOU LIKE TO DO? 22/04/2016 BRiSK_April20 15 •Would you avail the offer, as is ? •Would you like to revert to the typical design (at additional cost)? •Would you like to get re- trained to drive this car? •Would you like to get insured at a higher premium, or hire a driver who can manage this design? Accept the risk Avoid the risk Mitigate the risk Transfer the risk
  56. 56. RISK - DEFINITION Source Definition ISO/IEC Guide 73:2002 ‘Combination of the probability of an event and its consequence.’ AS/NZS 4360:2004 ‘Chance of something happening that will have an impact on objectives.’ COSO (2004) ERM - Integrated Framework ‘Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities.’ Lars Oxelheim and Clas Wihlborg (2008) Corporate Decision-Making with Macroeconomic Uncertainty ‘The concept of risk refers in general to the magnitude and likelihood of unanticipated changes that have an impact on a firm’s cash flows, value or profitability. […] Risk has a negative connotation, but uncertainty can be a source of opportunities as well as costs.’ BRiSK_April2015 22/04/2016
  57. 57. LET’S LOOK AT THE ASPECTS OF ANY RISK SITUATION BRiSK_April2015 22/04/2016
  58. 58. www.primeinfoserv.com | info@primeinfoserv.com Mission Business Objectives Business Risks Applicable Risks Infosec Controls Review Aligning Business & Risk Management for Infosec
  59. 59. LET’S CALIBRATE ON OUR DISCUSSION We have a reflex to identify risks Decisions are influenced by nature of risks applicable Risk is not only un-certainty; its the effect of uncertainty The rigor of treatment should be commensurate to the magnitude and type of risk
  60. 60. OBJECTIVES CAN BE…. Business Objectives (examples) Risk Management Objectives (examples) IS / BC Objectives (examples) • Market share • Profit margin • Competitive advantage • Protect business value • Embedded at all levels i.e. strategic, tactical and operational • On-time & effective risk treatment • Availability of services at all times • Legal and regulatory compliance • Protect health and safety of personnel BRiSK_April2015 22/04/2016
  61. 61. RISK MANAGEMENT, ISO/IEC GUIDE 73, 2002
  62. 62. STRUCTURE OF ISO/IEC 27001 / ISO 22301 / ISO 9001 4 Context of the organization Understandin g the organization and its context Expectations of interested parties Scope of ISMS ISMS (PDCA) 5 Leadership Leadership and commitment Policy Org. roles, responsibilities and authorities 6 Planning 7 Support Resources Competence Awareness Communication 8 Operation 9 Performance evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review 10 Improvement Nonconformity and corrective action Continual improvement PLAN DO CHECK ACT Documented information Actions to address risks and opportunities IS objectives and plans to achieve them Operational planning and control Information security risk assessment Information security risk treatment New Major clause New section with emphasis on measurable objectives Concept of preventive action moved to Clause 6 (planning) New section with emphasis on methods of measurement & performance analysis New section on Communication strategy A
  63. 63. RISK CRITERIA ▪ “Risk criteria are the parameters established by the organization to allow it to describe risk and make decisions about the significance of risk . These decisions enable risk to be assessed and treatment to be selected”. (ISO TR 31004:2013) ▪ Risk criteria can be based on organisational objectives, context , risk appetite ▪ Risk criteria can also be derived from standards, laws, policies and other requirements 22/04/2016
  64. 64. EXAMPLES OF RISK CRITERIA Impact & Probability Criteria (Examples) • SLA • Cost of recovery (criticality of assets) • Number of sites or personnel affected • Man-hours of production time • Damage to reputation, • Legal or regulatory penalties • Strategic value of the business process • Number of incidents (likelihood) Acceptance Criteria (Examples) • Different residual levels may apply to different classes of risk, e.g. Risks that could result in legal / regulatory non- compliance may have a very low residual level (qualitative or quantitative) • Risk owners may accept risks above the acceptance level under defined conditions, (for example if there is a commitment to take action to reduce it to an acceptable level within a defined time) 22/04/2016
  65. 65. ISO/IEC 27001:2013& RISK MANAGEMENT ▪ PLAN PHASE: Risk assessment process mandatory ▪ DO PHASE: System of Internal controls to manage applicable risks ▪ CHECK PHASE: Internal Audit and Management Review process for verifying effectiveness of controls ▪ DO PHASE: Process to implement necessary actions to improve the systems of control
  66. 66. www.primeinfoserv.com | info@primeinfoserv.com Likelihood X Impact = RISK Risk Rating Very small Impact Moderate Impact Significant Impact Huge Impact Unlikely Low Risk Low Risk Low Risk Low Risk Realistic Possibility Low Risk Low Risk Moderate Risk Moderate Risk Strong Likelihood Low Risk Moderate Risk Moderate Risk High Risk Near Certainty Low Risk Moderate Risk High Risk High Risk Page 14 Drive to the left
  67. 67. LET’S PUT IT TOGETHER 22/04/2016 A. Creates Value B. Integral part of organisational process C. Part of Decision making D. Explicitly address uncertainty E. Systematic, Structured and timely F. Based on the best available information G. Tailored H. Takes human and cultural factors into account I. Transparent and inclusive J. Dynamic , iterative and responsive to change K. Facilitates continual improvement and enhancement of the organisation Principles Framework Process Mandate & Commitment (4.2) Design of Framework for managing risk (4.3) Implementing risk management (4.4) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk Analysis (5.4.3) Risk evaluation (5.4.4) Risk Treatment (5.5) Communicationandconsultation(.52.) Monitoringandreview(5.6) Risk Assessment (5.4) Figure 1: ISO 31000:2009
  68. 68. www.primeinfoserv.com | info@primeinfoserv.com Risk Management Plan Risk Analysis Audits DO Plan of Action and Milestones Check Continuous Monitoring “After-Action” Reports Act Revise Policy & Program Redirect Risk Analysis Page 16
  69. 69. 70 FRAMEWORK – RISK IT
  70. 70. GOVERNANCE RISK AND COMPLIANCE
  71. 71. WHAT IS COMPLIANCE?
  72. 72. WHAT IS COMPLIANCE? • Compliance should be a program based on defined requirements • Requirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issues • The program is embodied by a framework • Compliance is more about policy, process and risk management than it is about technology
  73. 73. RISK & COMPLIANCE MGMT Partners/ Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Improve Controls Automate Process Risk Assessment
  74. 74. RISK AND COMPLIANCE APPROACHES Minimal Sustainable Optimized • Annual / Project-based Approach • Minimal Repeatability • Only Use Technologies Where Explicitly Prescribed in Standards and Regulations • Minimal Automation •Proactive / Planned Approach •Learning Year over Year •Use Technologies to Reduce Human Factor •Leverage Controls Automation Whenever Possible •Regulatory Requirements are Mapped to Standards •A Framework is in Place •Compliance and Enterprise Risk Management are Aligned •Process is Automated
  75. 75. IDENTIFY DRIVERS Partners/ Customers Regulations Risk Assessment
  76. 76. IDENTIFY DRIVERS Compliance is NOT just about regulatory compliance. Regulatory compliance is a driver to the program, controls and framework being put in place. Managing compliance is fundamentally about managing risk.
  77. 77. IDENTIFY DRIVERS • Risk Assessment – Identify unique risks and controls requirements • Partners / Customers – Partners represent potential contractual risk – Customer present privacy concerns • Regulations – regulatory risk is considered as part of overall risk
  78. 78. DEVELOP PROGRAM Partners/ Customers Regulations Control Framework Policy and AwarenessRisk Assessment
  79. 79. WHAT IS A CONTROL? *Source: ITGI, COBIT 4.1 Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.
  80. 80. WHAT IS A FRAMEWORK? A framework is a set of controls and/or guidance organized in categories, focused on a particular topic. A framework is a structure upon which to build strategy, reach objectives and monitor performance.
  81. 81. WHY USE A FRAMEWORK? • Enable effective governance • Align with business goals • Standardize process and approach • Enable structured audit and/or assessment • Control cost • Comply with external requirements
  82. 82. FRAMEWORKS AND CONTROL SETS • ISO 27001/27002 • COBIT • ITIL • NIST • Industry-specific – i.e. PCI • Custom
  83. 83. ISO 27001/27002 • Information Security Framework • Requirements and guidelines for development of an ISMS (Information Security Management System) • Risk Management a key component of ISMS • Part of ISO 27000 Series of security standards
  84. 84. ISO 27001 – MGMT FRAMEWORK ▪ Information Security Management Systems – Requirements (ISMS) ▪ Process approach ▪ Understand organization’s information security requirements and the need to establish policy ▪ Implement and operate controls to manage risk, in context of business risk ▪ Monitor and review ▪ Continuous improvement
  85. 85. ISO 27001
  86. 86. THE KEY CONTROL CLAUSES IN ANNEX A OF ISO /IEC 27001:2013
  87. 87. BUILDING A FRAMEWORK Risk Assessment & Treatment Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental SecurityCommunications and Operations Management Access Control IS Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance Operational Controls Technical Controls Management Controls Protected Information ISO 27002: Code of Practice for Information Security Management
  88. 88. FRAMEWORKS COMPARISON Framework Strengths Focus COBIT Strong mappings Support of ISACA Availability IT Governance Audit ISO 27001/27002 Global Acceptance Certification Information Security Management System ITIL IT Service Management Certification IT Service Management NIST 800-53 Detailed, granular Tiered controls Free Information Systems FISMA PCI DSS Card Industry Specific IT Controls to protect Card holder Information
  89. 89. www.primeinfoserv.com | info@primeinfoserv.com What is PCI Compliance?  Definition – Payment Card Industry Data Security Standard (PCI-DSS)  Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants  Requires mandatory adoption by all businesses that store, process, or transmit credit/debit card data 6Control Objectives 6Control Objectives 12Core Requirements 280+Audit Procedures
  90. 90. 12 RULES OF PCI DSS COMPLIANCE NEW VENTURES - PAYMENTS Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5 Use and regularly update anti-virus software or programs Requirement 6 Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need to know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 11 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security for all personnel.
  91. 91. PCI INTENT - IN ONE SENTENCE… Protect card holder data (CHD) from inappropriate disclosure
  92. 92. CARD HOLDER DATA (CHD)
  93. 93. CHD – IT GETS EVERYWHERE!!!! Just a few places where we have found CHD !
  94. 94. www.primeinfoserv.com | info@primeinfoserv.com COMMON CHALLENGES TO ACHIEVE PCI COMPLIANCE • Fully understand and document the processes and payment environment • Tracking and monitoring of access to payments card systems and data • Controlling logical access (authentication) to systems containing payment card data • Security event monitoring across a disparate environment • Limited security capabilities (authentication, monitoring, etc…) of legacy systems • Remediation of controls across large (often legacy) distributed environments • Encryption of payment card data • Putting PCI contractual language in place for third party service providers • Obtaining management support to perform remediation
  95. 95. www.primeinfoserv.com | info@primeinfoserv.com BENEFITS OF COMPLIANCE • Protect customers’ personal data • Boost customer confidence through a higher level of data security • Lower exposure to financial losses and remediation costs • Maintain customer trust and safeguard the reputation of the brand • Provide a complete “health check” for any business that stores or transmit customer information
  96. 96. AUDIT AND REMEDIATE Partners/ Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Risk Assessment
  97. 97. ORGANIZATION EXAMPLE Internal Audit COBIT ITIL IT Service Desk ISO 27001/27002 Information Security CMMi Software Delivery
  98. 98. CONTROLS ALIGNMENT How aligned are your controls? Assessment (Information Security, IT Risk Management) Internal Audit (IT/Financial Audit) External Audit (Regulatory and Non- Regulatory)
  99. 99. REMEDIATION PRIORITIES • Where are our greatest risks? • What controls are we fulfilling? • How many compliance requirements are we solving?
  100. 100. IMPROVE AND AUTOMATE Partners/ Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Improve Controls Automate Process Risk Assessment
  101. 101. CONTROLS HIERARCHY Manual Require human intervention Vs. Automated Rely on computers to reduce human intervention Detective Preventive Designed to search for and identify errors after they have occurred Designed to discourage or preempt errors or irregularities from occurring Vs.
  102. 102. AUTOMATED AND PREVENTIVE Logging and Monitoring Not Efficient Efficient Reviewing logs for incidents An automated method of detecting incidents Not Effective Effective Missing the incident due to human error Preventing the incident from occurring in the first place
  103. 103. AUTOMATE THE PROCESS • How do you currently measure compliance? • Reduce documents, spreadsheets and other forms of manual measurement • Create dashboard approach • Governance, Risk and Compliance toolsets
  104. 104. GRC AUTOMATION Enterprise Multi-Function Single Function •Enterprise Scope •Highly Configurable •Multiple Functions (Risk, Compliance, Policy) •Sophisticated Workflow •Functionality More Limited •More “out of the box” •Modest Workflow •Specific Process •Specific Standard or Regulation •Simple Workflow
  105. 105. CUSTOM DEFENSE : TARGETED ATTACKS AND ADVANCED THREATS & VULNERABILITY PROTECTION Confidential | Copyright 2013 Trend Micro Inc.
  106. 106. Advanced Targeted Threats Empowered Employees De-Perimeterization Virtualization, Cloud, Consumerization & Mobility TODAY, TRADITIONAL SECURITY IS INSUFFICIENT Source: Forrester i.e., Stuxnet, Epsilon, Aurora, Mariposa, Zeus, Sony PlayStation, etc. & Wikileaks Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware!
  107. 107. THE NEED FOR REAL-TIME RISK MANAGEMENT SOURCE: VERIZON 2011 DATA BREACH REPORT 1/3 of infections result in compromise within minutes, but most are not discovered or contained for weeks or months!
  108. 108. ANALYSTS AND INFLUENCERS URGE ACTION  “Zero-Trust” security model  Use of Network Analysis and Visibility Tools  “Lean Forward” proactive security strategy  Use of Network Threat Monitoring Tools  “Real-Time Risk Management”  Use of Threat Monitoring Intelligence  US Federal Risk Management Framework  Calls for “Continuous Monitoring”
  109. 109. A Typical Targeted Attack Intelligence Gathering Identify & research target individuals using public sources (LinkedIn, Facebook, etc) and prepare a customized attack. 1 Point of Entry The initial compromise is typically from zero-day malware delivered via social engineering (email/IM or drive by download). A backdoor is created and the network can now be infiltrated. (Alternatively, a web site exploitation or direct network hack may be employed.) 2 Command & Control (C&C) Communication Allows the attacker to instruct and control the compromised machines and malware used for all subsequent phases. 3 Lateral Movement Once inside the network, attacker compromises additional machines to harvest credentials, escalate privilege levels and maintain persistent control. 4 Asset/Data Discovery Several techniques (ex. Port scanning) are used to identify the noteworthy servers and the services that house the data of interest. 5 Data Exfiltration Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed and often encrypted for transmission to external locations. 6
  110. 110. HOW LONG DO TARGETED ATTACKS / APTS STAY HIDDEN? Most companies are breached in minutes but it is not discovered for months! Source: Verizon Data Breach Investigations Report 20121 1Confidential | Copyright 2012 Trend Micro Inc. Average time from compromise to discovery is 210 days
  111. 111. APTS MOST COMMONLY START WITH A SPEAR PHISHING EMAIL WITH AN ATTACHMENT
  112. 112. Antivirus Compare malicious binary files and attachments, like the ‘copy.docx’ file to known virus signatures Sender Reputation Block email from known suspected spammers, like readjustedha6@12481b matter.com  Lexical Analysis Analyze word combinations & patterns commonly found in spam 
  113. 113. Sender Reputation Example@emailinfo.e xample.com is not known for sending out spam X Antivirus Script-based attack; no known signatures or history of similar attacks Lexical Analysis No commonly used word combinations or patterns of spam X X
  114. 114. ▪ Spread through direct messages with “hidden video” lure ▪ Utilizes obfuscation techniques (re-direct) ▪ Steals account credentials ▪ “Missing Adobe” message causes dropper file ▪ 23% detection rate by AV engines ▪ Websense customers were protected EXAMPLE - SOCIAL MEDIA 115
  115. 115. 117 • PII Continues • Credit Cards • Identification • IP Theft Grew • Government • Commercial Insider Threat • Accidental • Phishing • Intentional • Physical • Electronic
  116. 116. "While traditional antivirus [vendors] may be able to spot and deflect many kinds of attacks, they're not well-equipped to handle targeted attacks. But there are technologies able to detect such attacks, if not entirely prevent them."
  117. 117. WHY CURRENT DEFENSES FAIL 3 FORWARD FACING ONLY, LACK OUTBOUND PROTECTION Not data-aware, lack contextual analysis, minimal to no forensic visibility 2 LACK OF REAL-TIME INLINE CONTENT ANALYSIS Collect samples for lab analysis using background processes Producing new signatures (network/file) and reputations (URL/file) 4 MORE OF THE SAME IN NEW DEPLOYMENT OPTIONS UTMs, NGFWs, IDSs, Network Threat Monitors SSL severely impacts performance, or blind to it 1 PRIMARILY BASED ON SIGNATURE & REPUTATION History is not a reliable indicator of future behavior. Signature creation cannot keep up with the dynamic creation of threats
  118. 118. www.primeinfoserv.com | info@primeinfoserv.com Source: Asymco.com,
  119. 119. SECURITY FIRM - RSA ATTACKED USING EXCEL FLASH http://downloadsquad.switched.com/2011/04/06/security-firm-rsa-attacked-using-excel-flash-one-two-sucker-punc/
  120. 120. Trend Micro’s Custom Defense Solution
  121. 121. www.primeinfoserv.com | info@primeinfoserv.com Custom Defense Advanced Malware Detection Contextual Threat Analysis Automated Security Updates Command & Control Detection Attacker Activity Detection Threat Impact Assessment Enterprise Network EndpointsGateways Third Party Security Information Security Email Network
  122. 122. DEEP DISCOVERY • Network traffic inspection • Advanced threat detection • Real-time analysis & reporting Deep Discovery Inspector Deep Discovery Analyzer Deep Discovery provides the visibility, insight and control you need to protect your company against APTs and targeted attacks Targeted Attack/APT Detection In-Depth Contextual Analysis Rapid Containment & Response • Custom scalable threat simulation • Deep investigation & analysis • Actionable intelligence & results
  123. 123. DEEP DISCOVERY INSPECTOR • Network traffic inspection • Advanced threat detection • Real-time analysis & reporting Network Inspection Platform Network Visibility, Analysis & Control Deep Discovery Inspector • Visualization • Analysis • Alarms • Reporting Network Inspection Platform Threat Detection Virtual Analyzer Watch List Threat Connect SIEM Connect
  124. 124. • Emails containing embedded document exploits • Drive-by downloads • Zero-day & known malware • C&C communication for all malware: bots, downloaders, data stealing, worms, blended… • Backdoor activity by attacker • Malware activity: propagation, downloading , spamming, … • Attacker activity: scan, brute force, tool download , … • Data exfiltration Attack Detection • Decode & decompress embedded files • Sandbox simulation of suspicious files • Browser exploit kit detection • Malware scan (Signature & Heuristic) • Destination analysis (URL, IP, domain, email, IRC channel, …) via dynamic blacklisting, white listing • Smart Protection Network reputation of all requested and embedded URLs • Communication fingerprinting rules • Rule-based heuristic analysis • Identification and analysis of usage of 100’s of protocols & apps including HTTP-based apps • Behavior fingerprinting Detection Methods HOW DEEP DISCOVERY WORKS
  125. 125. DEEP DISCOVERY: KEY FEATURES • Deep content inspection across 80+ of protocols & applications • Smart Protection Network reputation and dynamic black listing • Sandbox simulation and analysis • Communication fingerprinting • Multi-level rule-based event correlation • And more… Driven by Trend Micro threat researchers and billions of daily events Specialized Threat Detection Across the Attack Sequence Malicious Content • Emails containing embedded document exploits • Drive-by Downloads • Zero-day and known malware Suspect Communication • C&C communication for any type of malware & bots • Backdoor activity by attacker Attack Behavior • Malware activity: propagation, downloading, spamming . . . • Attacker activity: scan, brute force, tool downloads. . . • Data exfiltration communication
  126. 126. Real-Time Inspection Analyze Deep Analysis CorrelateSimulate Actionable Intelligence Threat Connect Watch List GeoPlotting Alerts, Reports, Evidence Gathering 130 Visibility – Real-time Dashboards Insight – Risk-based Analysis Action – Remediation Intelligence Identify Attack Behavior & Reduce False Positives Detect Malicious Content and Communication Out of band network data feed of all network traffic
  127. 127. CUSTOM DEFENSE 2.0 Control Manager OfficeScan InterScan Messaging Security InterScan Web Deep Discovery Inspector/ Analyzer SPN Feedback Company A SPN Feedback ScanMailEndpoint Sensor 1. Suspicious object list 2. Suspicious objects list/Action/IOC Deep Security Block IOC IOC
  128. 128. INCREASED IT SECURITY PRIORITY: VULNERABILITY AND THREAT MANAGEMENT Source: Forrsights Security Survey, Q3 2010 Since 2008, “Managing vulnerabilities and threats” has moved from #5 to #2 “Which of the following initiatives are likely to be your firm’s top IT security priorities over the next 12 months?”
  129. 129. www.primeinfoserv.com | info@primeinfoserv.com Announcing: Trend Micro Real-Time Threat Management Solutions • Detect, analyze and remediate advanced threats • Investigate incident events and contain their impact • Monitor and optimize security posture • Manage vulnerabilities & proactive virtual patching • Augment security staff & expertise Network-Wide Visibility and Control Actionable Threat Intelligence Timely Vulnerability Protection Threat Management System Dynamic Threat Analysis System Threat Intelligence Manager Vulnerability Mgmt. Services Deep Security Virtual Patching Smart Protection Network Intelligence Risk Management Services
  130. 130. TREND MICRO THREAT MANAGEMENT SYSTEM TMS is a Network Analysis and Visibility solution that provides the real-time visibility, insight, and control to protect your company from advanced persistent attacks Network Threat Detection & Deterrence Automated Remediation Malware Forensic Analysis Platform Multi-Level Reporting Risk Management Services Offering Over 300 Enterprise & Government Customers WW
  131. 131. TMS: VISIBILITY – INSIGHT – CONTROL DataCenter APT Implanted Via Web, Email, USB… Threat Discovery Appliance Command & Control Server APT Communication Detected Threat Mitigator Additional Analysis Detailed Reports: • Incident Analysis • Executive Summary • Root-cause Analysis • Signature-free clean up • Root-cause analysis Threat Confirmed
  132. 132. DETECTION CAPABILITIES New – DTAS Sandbox Detection Engine New – Document Exploit Engine • Multiple unique threat engines • 24 hour event correlation • Continually updated threat relevance rules • Data loss detection • Tracks unauthorized app usage and malicious destinations • Powered by Smart Protection Network and dedicated Trend researchers Best Detection Rates Lowest False Positives Real-Time Impact
  133. 133. www.primeinfoserv.com | info@primeinfoserv.com TMS + Dynamic Threat Analysis System • Sandbox execution • Malware actions & events • Malicious destinations • C&C Servers contacted • Exportable reports & PCAP files • Backend integration into TMS reporting & Mitigator Integrated malware execution and forensic analysis Threat Discovery Appliance Direct File Submission Other Trend Products
  134. 134. TREND MICRO THREAT INTELLIGENCE MANAGER Delivers threat intelligence and impact analysis needed to identify and reduce exposure to advanced threats. Incident Analysis and Security Posture Monitoring Real-Time Threat Analysis and Visualization Provide Actionable Intelligence for active threats Visualize event relationships in an attack Office Scan Incident Discovery Threat Discovery Appliance Suspicious Network BehaviorThreat Intelligence Manager Threat Analysis and Response Consolidates threat events and uses advanced visualization and intelligence to uncover the hidden threats! Deep Security System Integrity
  135. 135. CUSTOMIZABLE DASHBOARD Access and visualization by role and responsibility
  136. 136. Threat Intelligence Manager Threat Management System Dynamic Threat Analysis System Endpoints Network Servers • Multi-point detection • Validation • Threat Analysis • Impact Assessment • Automated Remediation • Pro-active Protection Real-Time Threat Management In Action
  137. 137. NEW RISK MANAGEMENT SERVICES ▪ Proactive monitoring and alerting ▪ Threat analysis and advisory ▪ Threat remediation assistance ▪ Risk posture review and analysis ▪ Strategic security planning Augment stretched IT security staff Put Trend Micro Threat Researchers and Service Specialists on your team A complete portfolio designed to further reduce risk exposure and security management costs Increase IT security responsiveness and expertise
  138. 138. WHY TREND MICRO? Trend Micro is the only vendor providing integrated real-time protection and risk management against advanced targeted threats. Network-Wide Visibility and Control Actionable Threat Intelligence Timely Vulnerability Protection Threat Management System Dynamic Threat Analysis System Threat Intelligence Manager Vulnerability Mgmt. Services Deep Security Virtual Patching Smart Protection Network Intelligence Risk Management Services “Trend Micro has always impressed me with its understanding of what its customers are going through and this reiterates it again.” Richard Stiennon, IT-Harvest
  139. 139. THE VIRTUAL PATCHING SOLUTION ▪ Close window of vulnerability for critical systems and applications ▪ Protect “unpatchable” systems ▪ Meet 30-day PCI patch requirement Risk Mgt & Compliance • Reduce patch cycle frequency • Avoid ad-hoc patching • Minimize system downtime Operational Impact Trend Micro Security Center provides Virtual Patches within hours of vulnerability disclosure •Automated centralized distribution •Protection available: •Deep Security product module •With OfficeScan IDF plugin Automated Monitoring Application Analysis Filter “Patch” Development Protection DeliveryTrend Micro Security Center Physical / Virtual / Cloud Servers Endpoints & Devices
  140. 140. www.primeinfoserv.com | info@primeinfoserv.com VULNERABILITY MANAGEMENT SYSTEM▪ Vulnerability scanning ▪ Vulnerability scanning of internal and external devices ▪ Patch and configuration recommendations ▪ Web application scanning ▪ Web site crawler to detect application design vulnerabilities like SQL injection and cross-site scripting etc. ▪ PCI compliant scanning ▪ Vulnerability scanning with reports for PCI ▪ Trend is an Approved Scanning Vendor ▪ Policy compliance ▪ Define and track compliance with device security policies ▪ SaaS based management portal ▪ Hosted scans of external devices ▪ On-premise appliance for scanning internal devices managed from SaaS portal ▪ On-demand scan 144
  141. 141. ADVANCED VISUALIZATION & IMPACT ANALYSIS Visualize the relationship between cause and effect of each threat event, and fully understand the impact
  142. 142. Jan 2011 results of testing conducted by AV-Test.org (qualified for internal use) Results from T+60 test 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% 100.0% 63.0% 70.5% 77.0% 61.5% Total Percentage of threats blocked by all layers: Exposure, Infection, Dynamic Trend Micro OfficeScan McAfee VirusScan Microsoft Forefront Sophos Endpoint Security Symantec Endpoint Protection TREND MICRO SMART PROTECTION NETWORK
  143. 143. http://us.trendmicro.com/us/trendwatch/core-technologies/competitive-benchmarks/nss-labs/index.html?cm_re=HP:Sub:1-_-CORP-_- NSSlabs02 TREND MICRO SMART PROTECTION NETWORK
  144. 144. Industry-proven real-world protection Note: If multiple products from one vendor were evaluated, then vendor’s best performance is listed. *1:http://www.nsslabs.com/research/endpoint-security/anti-malware/ *2:http://us.trendmicro.com/us/trendwatch/core-technologies/competitive-benchmarks/index.html *3:http://www.dennistechnologylabs.com/reports/s/a-m/trendmicro/PCVP2010-TM.pdf (Dec. Test performed for Computer Shopper UK) *4 : http://www.av-comparatives.org/images/stories/test/dyn/stats/index.html TREND MICRO SMART PROTECTION NETWORK
  145. 145. Interactive drill-down dashboards • Navigate across corporate groups • Pin-point infected sources • Perform root-cause analysis • Track suspicious user behavior and application usage • Detect leakage of regulated data • Customizable event alarms • Multi-level reporting for managers and executives • Available on-premise or hosted THREAT MANAGEMENT PORTAL Coming 2H 2011 • Improved drill down capability • Sandbox analysis workbench
  146. 146. www.primeinfoserv.com | info@primeinfoserv.com THREAT MITIGATOR TECHNOLOGY: ROOT-CAUSE AND SIGNATURE-FREE CLEANUP  Cleanup request received  Check forensic logs  Locate which process performed malicious activity  Remove malware process, file and registry entries  Locate and remove parent malware  Locate and remove child malware  In case of failure, a custom cleanup kit is automatically generated by Trend
  147. 147. RISK MANAGEMENT SERVICES Bronze Services Silver Services Gold Services Diamond Services • On-demand advisory services • On-demand remediation services • Priority event alerting • 8X5 access • Product installation and configuration • Bronze package plus… • Weekly report reviews & advisory • Monthly status; Quarterly reviews • 24X7 access for urgent issues • Silver package plus… • Daily report reviews & advisory • Customized security planning • Annual assessment and training • Gold package plus… • Daily monitoring & communication • Complete tailored services delivery • Dedicated Technical Account Manager A component of Trend Micro Technical Account Management Services
  148. 148. Global Security & Logistics Co. OVER 300 ENTERPRISE AND GOVERNMENT CUSTOMERS FOR TREND MICRO
  149. 149. KEY PARTNERSHIPS
  150. 150. KEY CUSTOMERS
  151. 151. National Housing Development Company Partial List of Management System Training & Consulting Clients KEY CUSTOMERS
  152. 152. HOW WE CAN HELP YOU IN YOUR JOURNEY
  153. 153. ▪ VAPT/IT Infra GAP Analysis ▪ Process Consulting (ISMS, ITSM, COBIT, PCI-DSS) ▪ Gateway Security, End Point Security, Anti-APT Solution ▪ Security and Process Based Skill Development Programs
  154. 154. www.primeinfoserv.com | info@primeinfoserv.com Questions?
  155. 155. Mobile : +91 98300 17040, +91 90624 67427 Email : smukherjee@primeinfoserv.com , info@primeinfoserv.com , sales@primeinfoserv.com Web : www.primeinfoserv.com PRIME INFOSERV LLP (AN ISO 9001:2008 AND 27001:2013 CERTIFIED ENTERPRISE) DL-124, 1st Floor, Salt Lake, Sector – II, Kolkata – 700091, India Phone : +91 33 6526 0279, +91 33 4008 5677, +91 78900 19076, +91 84200 56620 CONTACT US
  156. 156. THANK YOU

×