"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Risk, regulation and data protection
1. Risk, Regulations and
Data Protection
Shahar Geiger Maor, Senior Analyst
Scan me to your contacts:
www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
2. What is Risk?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
3. Risk Management…
• Risk management is present in all aspects of life
• It is about the everyday trade-off between an expected reward and a
potential danger
• It is universal, in the sense - it refers to human behaviour in the
decision making process
3
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
4. No
Risk…
No
Gain!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
5. Benefits of Risk Management
increased
certainty
Supports strategic and fewer Better service
And surprises delivery
Business planning
More efficient
Quick grasp use of
of new Potential benefits resources
opportunities
Promotes
Reassures continual
stakeholders Helps focus improvement
internal audit
programme
5
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
6. • ERM is an ongoing process
• ERM is an Integral part of how an organization operates
• ERM applies to all organizations, not just financial organizations.
• Risk applies broadly to all things threatening the achievement of
organizational objectives
• Risk is not limited to threats, but also refers to opportunities.
• The goal of an organization is not “risk mitigation”, but seeking an
appropriate “risk-return position.”
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
7. Regulations –The Olympic Minimum Syndrome
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
8. When Regulation is a Good Idea…
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
9. SOX
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
10. Ultimate Liability
Countrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
11. Security Echo-System: Key Roles
Senior
Management
CISO Custodian
Data
Users
owners
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
12. PCI-DSS:
Israeli Market and Challenges
Requirement 1
Requirement 2
POS Terminals
Requirement 3
PIN Pads
DSL Router Requirement 4
Network Requirement 5
Requirement 6
Requirement 7
3rd Party Requirement 8
Scan Vendor Requirement 9
Policies
Requirement 10
POS Server
Requirement 11
Requirement 12
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
13. Information Security “Threatscape”
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
14. Social Engineering
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
15. Social Engineering
Preventing social engineering:
• Verify identity
• Do not give out passwords
• Do not give out employee information
• Do not follow commands from unverified
sources
• Do not distribute dial-in phone numbers to
any computer system except to valid users
• Do not participate in telephone surveys
Reacting to social engineering:
• Use Caller ID to document phone number
• Take detailed notes
• Get person’s name/position
• Report incidents
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
16. Phishing
• A social engineering scam
• A scam that uses email or websites to deceive you
into disclosing sensitive information
• How does it work?
– You receive an email or pop-up message
– The message usually says that you need to update or
validate your account information
– It might threaten some dire consequence if you don’t
respond
– The message directs you to a bogus website
– You type sensitive info….and that’s it…
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
17. Technologies Categorization 20102011
Cyber
Warfare
“Social”
Market Curiosity
Security
Mobile
Sec IT Project
Major
Changes
DLP
IRM
Size of figure =
Application complexity/
Security Cloud cost of project
Security Security
Endpoint Management
Security
Data
Network Protection
Security
Using Implementing Looking
Market Maturity
Source: STKI
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
19. Mobile sec
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
20. “Social Security”
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
21. Data Centric Approach
Build a wall – “perimeter “Business of Security” – Security
security” is built into the business process
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
22. Data Security Domain
Source: Securosis
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
23. STKI Index-20102011
–Top Queries to STKI
SIEM/SOC Miscellaneous Encryption
Regulations 3% 2% 1%
7%
Vendor/Product EPS/mobile
8% 14%
Market/Trends
DB/DC SEC 13%
9%
Access/Authenti
DCS cation
9% 12%
GW Network Sec
10% 12%
Source: STKI
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
24. Internal vs. External Human Threats
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
25. Leakage Mitigation in Israel
AwarenessMethodology
IRMVaultingMail
Protection
DB protection
GW protection
Encryption
Device Control
Endpoint
DLP
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
26. Protect your data
• Data Loss Prevention-
Network
• Data Loss Prevention-
Endpoint
• Data Loss Prevention-
Storage
• Full Drive Encryption • Access Management
• USB/Media • Entitlement Management
Encryption/Device Control • Network Segregation
• Enterprise Digital Rights • Server/Endpoint Hardening
Management • USB/Media
• Data Masking Encryption/Device Control
• Entitlement Management • Database Encryption
• DAM
• Storage Encryption
• Application Encryption
• Email Filtering
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
27. Top Insights
• Most organizations still rely heavily on
“traditional” security controls like system
hardening, email filtering, access management,
and network segregation to protect data.
• Most organizations see unstructured data
storage as their main security concern
• Most organizations must meet at least 1
regulatory or contractual compliance
requirement.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
28. Top Insights –con…
• Many organizations tend “not to touch” their prod DB.
DB protection: Estimated Technology Penetration
EvaluatingNot Using this
using technology
48% 52%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
29. Identity and Access Management
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
30. Identity and Access Management
this is where most
activity occurs
A Leper Colony –
keep away!!!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
31. Thank you!
Download this presentation:
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 31