Infocon Bangladesh 2016

PRIME INFOSERV LLP
▪ Prime Infoserv LLP is an IT-services company offering comprehensive
services to businesses across a broad range of platforms and
technologies.
▪ With Prime, organizations get more than just an outsourcing partner.
We hold strategic capabilities to compete better and deliver more for
the customers. By improving reliability, speed and agility, we enable
our customers to achieve sustainable differential advantage over
their competitors. Our engagement models are flexible, scalable,
secure and custom defined, based on specific individual needs of our
customers

PRIME SERVICE PORTFOLIO
Managed
Service
Consulting
Applications
System
Integration
Skill
Development

WHAT IS INFOCON
www.infoconglobal.org

OVERVIEW
▪ DO WE NEED TO TAKE INFORMATION SECURITY
CHALLENGES SERIOUSLY
▪ WHAT WE SHOULD BE DOING AS AN ORGANIZTION
TO ADDRESS THE MULTIPLE CHALLENGES.
▪ HOW WE CAN HELP YOU IN YOUR JOURNEY

DO WE NEED TO TAKE INFORMATION
SECURITY CHALLENGES SERIOUSLY ?

www.primeinfoserv.com | info@primeinfoserv.com
https://www.theguardian.com/technology/2015/oct
/13/nca-in-safety-warning-after-millions-stolen-
from-uk-bank-accounts

http://www.bloomberg.com/news/videos/b/da235614-3740-4f68-8176-c1a640fc73a1

www.primeinfoserv.com | info@primeinfoserv.comhttp://www.cnbc.com/2016/01/29/hsbc-cyber-attack-brings-internet-banking-down.html

Q: IN TODAY’S MARKET, WHAT CAN:
•Give your company a competitive advantage?
•Improve your reputation in the eyes of your customer?
•Demonstrate compliance to international and federal privacy laws?
•Improve system uptime and employee productivity?
•Ensure viable eCommerce?
▪ Answer: Information Security.

Limitations of Current information security systems
ENTERPRISE
CUSTOMERS
VENDORS
What happens if the employee with critical information with him leaves organization and joins the
competitors?
Competitors
ENTERPRISE
Employees take laptops out, what happens if the laptop is stolen?
What happens if the email gets accidentally marked to a vendor ?
Firewalls
VPN Network

WHAT’S THE PROBLEM?
▪ Your security people have to protect against thousands of
security problems.
▪ Hackers only need one thing to be missed.
▪ But with appropriate attention given to security, companies
can be reasonably well protected.

“All it takes is just one weak link in
the chain for an attacker to gain a foothold into
your network”

19
WHAT IS NEEDED?
Management concerns
• Market reputation
• Business continuity
• Disaster recovery
• Business loss
• Loss of confidential data
• Loss of customer confidence
• Legal liability
• Cost of security
Security
Measures/Controls
• Technical
• Procedural
• Physical
• Logical
• Personnel
• Management

CALL TO ACTION
Poor information security outcomes
are commonly the result of
poor management
and not
poor technical controls.
The 27000 series of ISMS Standards tackle the information problems we face from the management
perspective.
- It is not easy, but it is best practice and it works

THE GOLDEN RULE IN INFORMATION SECURITY !
Business Needs First,
Technology Needs Last.

(No More of This)
THE FIRST STEP -START BY ACKNOWLEDGING THE
PROBLEM…

MANAGING INFORMATION SECURITY -
RINGS OF PROTECTION

EFFECTIVE MANAGEMENT SYSTEMS
▪ Effective management systems include:
▪ Clear delineation of roles and responsibilities
▪ Written policies and procedures
▪ Training
▪ Internal controls
▪ Effective oversight
▪ Information sharing
▪ Systems must provide reliable and current information on effectiveness and
efficiency of the process .

SECURITY RISK MANAGEMENT PRINCIPLES
•Information Security is a business problem, not just an IT problem
•Information Security risks need to be properly managed just like any
other business risk
•Lifecycle management is essential – there are always new threats
and new vulnerabilities to manage (and new systems , new people
new technologies, etc., etc.)

Information Security
WHERE DO I APPLY INFORMATION SECURITY
Process
Layer
Technology
Layer
People
Layer
Facilities
Layer
Strategy
Layer
Data/Appl.
Layer
 Is your IS strategy complete?
Does it address key issue?
 Privacy rights must be balanced with security
exposures.
 Ensure that your security processes function and
produce intended results.
 Sensitive and critical data must be available,
managed, and utilized in a secure fashion.
 IT is the foundation for data management and
process execution maximize uptime and security.
 The best strategies and processes will be
undermined if availability and security of physical
assets is not ensured.
Way Ahead
ItAppliesatAllLayers

SECURITY RISK MANAGEMENT:
EDUCATION
• One of the largest security risks in your enterprise is untrained employees – this
especially includes upper management
• Who cares what technology you have if an employee will give their password
over the phone to someone claiming to be from the help desk?
• Are users aware of their roles and responsibilities as they relate to information
security?
• Are users aware of security policies and procedures?
• Do users know who to call when there are security problems?

WHAT WE SHOULD BE DOING AS AN ORGANIZTION
TO ADDRESS THE MULTIPLE CHALLENGES.

GOVERNANCE RISK AND COMPLIANCE

INFORMATION SECURITY & IT GOVERNANCE

Existing Problems
 Organizations are often working at the tactical level without a strategic framework
 Examples:
 Security tools
 Incident response
 Lack of regular feedback to executive management
 Examples:
 Ad hoc testing occurs without a pre-defined structure
 Few requirements for action plans to provide solutions

Make Security Strategic
Stove-pipe management leads to gaps
Department Department Department Department
G
A
P
G
A
P
G
A
P

Information Security & IT Governance
 What is information security governance?
 Leadership
 Framework established to ensure that all the security elements put in place to protect
your data environment work efficiently, accomplish what is intended, and do so cost
effectively
 Processes to carry out what is intended by the leadership‘
 Why is it important?
 Provides a framework for secure business operations in an
interconnected world
 Ensures the organization ’s security resources are well spent
 Gains international respect

Department Department Department Department
A Holistic Approach to Governance
Security
Risk Management

Information Security & IT Governance
 What does it need to include?
 Alignment with the information security strategy of the organization
 Management of risks
 Efficient and effective management
 Verification of results
 What benefits can be gained from a security governance program?
 International recognition
 Fewer breaches to deal with/increased efficiency
 More effective use of resources

Organizational Governance
Governance Model
Security Governance
IT Governance
Financial Governance
Policies
&
Procedures
Verification Reporting

Tiered Security Process
CIO
CISO
Business Processes
Systems and Infrastructure
Risks
Audit Results
Vulnerability
Assessments
Continuous
Monitoring
Page 12
Security
Awareness
Policies
Guidelines
Standards
Drive the
Program
Feedback
Security Management

Best Practices Security Governance
Approve
Define
Interpret
Implement Operations
Operational
Governance
Enterprise Policy
and Standards
Executive
Leadership –
Executive
Mgmt/
CIO
CISO
Line of
Business
Human
Resources
Line of
Business
Datacenter

Governance Implementation
The Role of Executive Management - Strategic
 Commit To Holistic Security Excellence
 Set a common vision
 Establish principles to guide the program
 Commit To a Program
 Create the security program plan
 Apply the necessary resources
 Manage Change
 Drive transformation through organization
 Measure Success
 Internal testing and measurement
 Audit improvement

IT GOVERNANCE
▪ IT Governance is an integral part of the corporate
governance involves leadership support,
organizational structure and processes to ensure
that a bank’s IT sustains and extends business
strategies and objectives.
▪ Effective IT Governance is the responsibility of the
Board of Directors and Executive Management.

WHY IT GOVERNANCE?
– IT is critical in supporting and enabling bank’s
business goals
– IT is strategic to business growth and innovation
– Due diligence is increasingly important due to IT
implications of mergers and acquisitions
– Risks of failure have wider reputational impact

ROLES & RESPONSIBILITIES
SNo. Roles & Responsibilities Responsibility Description
(i) Board of Directors/ IT Strategy
Committee
Approving IT strategy and policy documents, Ensuring that the IT organizational structure
complements the business model and its direction etc.
(ii) Risk Management Committee Promoting an enterprise risk management competence throughout the bank, including
facilitating development of IT-related enterprise risk management expertise
(iii) Executive Management Level Among executives, the responsibility of Senior executive in charge of IT operations/Chief
Information officer (CIO) is to ensure implementation from policy to operational level
involving IT strategy, value delivery, risk management, IT resource and performance
management.
(iv) IT Steering Committee Its role is to assist the Executive Management in implementing IT strategy that has been
approved by the Board. An IT Steering Committee needs to be created with
representatives from the IT, HR, legal and business sectors.

POLICIES & PROCEDURES
▪ The bank needs to have IT-related strategy and policies
▪ IT strategy and policy needs to be approved by the Board
▪ Detailed operational procedures may be formulated in
relevant areas including for data center operations
▪ A bank needs to follow a structured approach for the long-
range planning process considering multiple factors
▪ There needs to be an annual review of IT strategy and policies
taking into account the changes to the organization’s business
plans and IT environment

POLICIES & PROCEDURES
▪ Banks need to establish and maintain an enterprise architecture framework
or enterprise information model to enable applications development and
decision-supporting activities, consistent with IT strategy.
▪ There is also a need to maintain an “enterprise data dictionary” that
incorporates the organization’s data syntax rules.
▪ Banks need to establish a classification scheme that applies throughout the
enterprise, based on the criticality and sensitivity (e.g. public, confidential,
or top secret) of enterprise data.
▪ There is a need for a CIO in bank. He has to be the key business player and a
part of the executive decision-making function. His key role would be to be
the owner of IT functions: enabling business and technology alignment.
▪ Bank-wide risk management policy or operational risk management policy
needs to be incorporate IT-related risks also. The Risk Management
Committee periodically reviews and updates the same (at least annually).

SNo. Roles & Responsibilities Responsibility Description
(i) Boards of Directors/Senior
Management
The Board of Directors is ultimately responsible for information security. Senior
Management is responsible for understanding risks to the bank to ensure that they
are adequately addressed from a governance perspective.
(ii) Information Security
Team/Function
Banks should form a separate information security function/group to focus
exclusively on information security management.
(iii) Information Security
Committee
Includes business heads from different units and are responsible for enforcing
companywide policies & procedures.
(iv) Chief Information Security
Officer (CISO)
A sufficiently senior level official of the rank of GM/DGM/AGM needs to be
designated as the Chief Information Security Officer (CISO) responsible for
articulating and enforcing the policies that a bank uses to protect its information
assets. The CISO needs to report directly to the Head of the Risk Management
function and should not have a direct reporting relationship with the CIO.

R&R
S No. Roles & Responsibilities Responsibility description
1 Board of Directors and Senior
Management
To meet the responsibility to provide an independent audit function with sufficient resources
to ensure adequate IT coverage, the board of directors or its audit committee should provide
an internal audit function which is capable of evaluating IT controls adequately.
2 Audit Committee of the Board The Audit Committee should devote appropriate and sufficient time to IS audit findings
identified during IS Audits and members of the Audit Committee would need to review
critical issues highlighted and provide appropriate guidance to the bank’s management.
3 Internal Audit/Information System
Audit function
Banks should have a separate IS Audit function within the Internal Audit department led by an
IS Audit Head, assuming responsibility and accountability of the IS audit function,
reporting to the Chief Audit Executive (CAE) or Head of Internal Audit.

IS AUDIT
S No. Component Description
(i) IS Audit Because the IS Audit is an integral part of the Internal Auditors, auditors will also be required to be independent,
competent and exercise due professional care.
(ii) Outsourcing
relating to IS Audit
Risk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically
in light of known and expected changes, as part of the strategic planning or review process.
2 Audit Charter,
Audit Policy to
include IS Audit
An Audit Charter / Audit Policy is a document which guides and directs the activities of the Internal Audit
function. IS Audit, being an integral part of the Internal Audit function, should also be governed by the same
Audit Charter / Audit Policy. The document should be approved by the Board of Directors. IS Audit policy/charter
should be subjected to an annual review to ensure its continued relevance and effectiveness.
3 Planning an IS
Audit
Banks need to carry out IS Audit planning using the Risk Based Audit Approach. The approach involves aspects
like IT risk assessment methodology, defining the IS Audit Universe, scoping and planning the audit, execution
and follow up activities.
4 Executing IS Audit During audit, auditors should obtain evidences, perform test procedures, appropriately document findings, and
conclude a report.
6 Reporting and
Follow up
This phase involves reporting audit findings to the CAE and Audit Committee. Before reporting the findings, it is
imperative that IS Auditors prepare an audit summary memorandum providing overview of the entire audit
processing from planning to audit findings.
7 Quality Review It is to assess audit quality by reviewing documentation, ensuring appropriate supervision of IS Audit members
and assessing whether IS Audit members have taken due care while performing their duties.

R&R
SNo. Roles & Responsibilities Responsibility description
(a) Board of Directors and
Senior Management
Indian banks follow the RBI guideline of reporting all frauds above 1
crore to their respective Audit Committee of the Board.
1.1. BCP Head or Business
Continuity Coordinator
A senior official needs to be designated as the Head of BCP activity
or function
1.2. BCP Committee or Crisis
Management Team
Present in each department to implement BCP department wise.
1.3 BCP Teams There needs to be adequate teams for various aspects of BCP at
central office, as well as individual controlling offices or at a branch
level, as required.

SNo Component Description
2.1 BCP Methodology Banks should consider various BCP methodologies and standards, like BS 25999, as inputs for their BCP framework.
2.3 Key Factors to be
considered for BCP
Design
Following factors should be considered while designing the BCP:
• Probability of unplanned events, including natural or man-made disasters, earthquakes, fire, hurricanes or bio-
chemical disaster
• Security threats
• Increasing infrastructure and application interdependencies
• Regulatory and compliance requirements, which are growing increasingly complex
• Failure of key third party arrangements
• Globalization and the challenges of operating in multiple countries.
3 Testing a BCP Banks must regularly test BCP to ensure that they are up to date and effective: Testing of BCP should include all aspects
and constituents of a bank i.e. people, processes and resources (including technology). Banks should consider having
unplanned BCP drill, Banks should involve their Internal Auditors (including IS Auditors) to audit the effectiveness of
BCP etc. Various other techniques shall be used for testing the effectiveness of BCP.
4 Maintenance and
Re-assessment of
Plans
BCPs should be maintained by annual reviews and updates to ensure their continued effectiveness. Changes should
follow the bank’s formal change management process in place for its policy or procedure documents. A copy of the BCP,
approved by the Board, should be forwarded for perusal to the RBI on an annual basis.
5 Procedural aspects
of BCP
Banks should also consider the need to put in place necessary backup sites for their critical payment systems which
interact with the systems at the Data centers of the Reserve Bank.
6 Infrastructural
aspects of BCP
Banks should consider paying special attention to availability of basic amenities such as electricity, water and first-aid
box in all offices.
7 Human Aspect of
BCP
Banks must consider training more than one individual staff for specific critical jobs, They must consider cross-training
employees for critical functions and document-operating procedures.
8 Technology aspects
of BCP
Applications and services in banking system which are highly mission critical in nature and therefore requires high
availability, and fault tolerance to be considered while designing and implementing the solution.

OFFER CLOSES AT THE END OF THIS MONTH!!
•This BMW car is
available for $
20,000/- only!

JUST ONE CAVEAT
22/04/2016
BRiSK_April20
15
•The positions of the brake and
the accelerator are
interchanged; the brake is on
the right and the accelerator on
the left.

WHAT WOULD YOU LIKE TO DO?
22/04/2016
BRiSK_April20
15
•Would you avail the offer,
as is ?
•Would you like to revert to
the typical design (at
additional cost)?
•Would you like to get re-
trained to drive this car?
•Would you like to get
insured at a higher
premium, or hire a driver
who can manage this
design?
Accept the risk
Avoid the risk
Mitigate the risk
Transfer the risk

RISK - DEFINITION
Source Definition
ISO/IEC Guide 73:2002 ‘Combination of the probability of an event and its consequence.’
AS/NZS 4360:2004 ‘Chance of something happening that will have an impact on objectives.’
COSO (2004) ERM - Integrated
Framework
‘Events with a negative impact represent risks, which can prevent value
creation or erode existing value. Events with positive impact may offset
negative impacts or represent opportunities.’
Lars Oxelheim and Clas
Wihlborg (2008) Corporate
Decision-Making with
Macroeconomic Uncertainty
‘The concept of risk refers in general to the magnitude and likelihood of
unanticipated changes that have an impact on a firm’s cash flows, value or
profitability. […] Risk has a negative connotation, but uncertainty can be a
source of opportunities as well as costs.’
BRiSK_April2015 22/04/2016

LET’S LOOK AT THE ASPECTS OF ANY RISK SITUATION
BRiSK_April2015 22/04/2016

Mission
Business Objectives
Business Risks
Applicable Risks
Infosec Controls
Review
Aligning Business & Risk Management for Infosec

LET’S CALIBRATE ON OUR DISCUSSION
We have a
reflex to
identify risks
Decisions are
influenced by
nature of risks
applicable
Risk is not only
un-certainty;
its the effect of
uncertainty
The rigor of
treatment
should be
commensurate
to the
magnitude and
type of risk

OBJECTIVES CAN BE….
Business Objectives
(examples)
Risk Management
Objectives (examples)
IS / BC Objectives
(examples)
• Market share
• Profit margin
• Competitive advantage
• Protect business value
• Embedded at all levels i.e. strategic,
tactical and operational
• On-time & effective risk treatment
• Availability of services at all times
• Legal and regulatory compliance
• Protect health and safety of
personnel
BRiSK_April2015 22/04/2016

RISK MANAGEMENT, ISO/IEC GUIDE 73, 2002

STRUCTURE OF ISO/IEC 27001 / ISO 22301 / ISO 9001
4 Context of
the
organization
Understandin
g the
organization
and its
context
Expectations
of interested
parties
Scope of ISMS
ISMS
(PDCA)
5 Leadership
Leadership
and
commitment
Policy
Org. roles,
responsibilities
and authorities
6 Planning 7 Support
Resources
Competence
Awareness
Communication
8 Operation
9 Performance
evaluation
Monitoring,
measurement,
analysis and
evaluation
Internal audit
Management
review
10
Improvement
Nonconformity
and corrective
action
Continual
improvement
PLAN DO CHECK ACT
Documented
information
Actions to
address risks
and
opportunities
IS objectives
and plans to
achieve them
Operational
planning and
control
Information
security risk
assessment
Information
security risk
treatment
New
Major
clause
New section
with emphasis
on
measurable
objectives
Concept of
preventive
action moved
to Clause 6
(planning)
New section with
emphasis on
methods of
measurement &
performance
analysis
New section on
Communication
strategy
A

RISK CRITERIA
▪ “Risk criteria are the parameters established by the organization to allow it to
describe risk and make decisions about the significance of risk . These decisions
enable risk to be assessed and treatment to be selected”. (ISO TR 31004:2013)
▪ Risk criteria can be based on organisational objectives, context , risk appetite
▪ Risk criteria can also be derived from standards, laws, policies and other
requirements
22/04/2016

EXAMPLES OF RISK CRITERIA
Impact & Probability Criteria (Examples)
• SLA
• Cost of recovery (criticality of assets)
• Number of sites or personnel affected
• Man-hours of production time
• Damage to reputation,
• Legal or regulatory penalties
• Strategic value of the business process
• Number of incidents (likelihood)
Acceptance Criteria (Examples)
• Different residual levels may apply to
different classes of risk, e.g. Risks that
could result in legal / regulatory non-
compliance may have a very low residual
level (qualitative or quantitative)
• Risk owners may accept risks above the
acceptance level under defined
conditions, (for example if there is a
commitment to take action to reduce it to
an acceptable level within a defined time)
22/04/2016

ISO/IEC 27001:2013& RISK MANAGEMENT
▪ PLAN PHASE: Risk assessment process mandatory
▪ DO PHASE: System of Internal controls to manage applicable risks
▪ CHECK PHASE: Internal Audit and Management Review process for
verifying effectiveness of controls
▪ DO PHASE: Process to implement necessary actions to improve the
systems of control

Likelihood X Impact = RISK
Risk Rating Very small Impact Moderate Impact Significant Impact Huge Impact
Unlikely Low Risk Low Risk Low Risk Low Risk
Realistic Possibility Low Risk Low Risk Moderate Risk Moderate Risk
Strong Likelihood Low Risk Moderate Risk Moderate Risk High Risk
Near Certainty Low Risk Moderate Risk High Risk High Risk
Page 14
Drive to the left

LET’S PUT IT TOGETHER
22/04/2016
A. Creates Value
B. Integral part of organisational
process
C. Part of Decision making
D. Explicitly address uncertainty
E. Systematic, Structured and
timely
F. Based on the best available
information
G. Tailored
H. Takes human and cultural
factors into account
I. Transparent and inclusive
J. Dynamic , iterative and
responsive to change
K. Facilitates continual
improvement and
enhancement of the
organisation
Principles Framework Process
Mandate &
Commitment (4.2)
Design of
Framework for
managing risk
(4.3)
Implementing risk
management
(4.4)
Monitoring and
review of the
framework (4.5)
Continual
improvement of
the framework
(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk Analysis
(5.4.3)
Risk evaluation
(5.4.4)
Risk Treatment
(5.5)
Communicationandconsultation(.52.)
Monitoringandreview(5.6)
Risk Assessment (5.4)
Figure 1: ISO 31000:2009

Risk Management
Plan
Risk Analysis
Audits
DO
Plan of Action and Milestones
Check
Continuous Monitoring
“After-Action” Reports
Act
Revise Policy & Program
Redirect Risk Analysis
Page 16

WHAT IS COMPLIANCE?
• Compliance should be a program based on defined requirements
• Requirements are fulfilled by a set of mapped controls solving
multiple regulatory compliance issues
• The program is embodied by a framework
• Compliance is more about policy, process and risk management
than it is about technology

RISK & COMPLIANCE MGMT
Partners/
Customers
Regulations Control
Framework
Assessments
Policy
and
Awareness
Audits
Treat
Risks
Improve
Controls
Automate
Process
Risk
Assessment

RISK AND COMPLIANCE APPROACHES
Minimal Sustainable Optimized
• Annual / Project-based
Approach
• Minimal Repeatability
• Only Use Technologies Where
Explicitly Prescribed in
Standards and Regulations
• Minimal Automation
•Proactive / Planned Approach
•Learning Year over Year
•Use Technologies to Reduce
Human Factor
•Leverage Controls Automation
Whenever Possible
•Regulatory Requirements are
Mapped to Standards
•A Framework is in Place
•Compliance and Enterprise Risk
Management are Aligned
•Process is Automated

IDENTIFY DRIVERS
Partners/
Customers
Regulations
Risk
Assessment

IDENTIFY DRIVERS
Compliance is NOT just about regulatory compliance. Regulatory
compliance is a driver to the program, controls and framework
being put in place.
Managing compliance is fundamentally about managing risk.

IDENTIFY DRIVERS
• Risk Assessment
– Identify unique risks and controls requirements
• Partners / Customers
– Partners represent potential contractual risk
– Customer present privacy concerns
• Regulations – regulatory risk is considered as part of overall
risk

DEVELOP PROGRAM
Partners/
Customers
Regulations Control
Framework
Policy
and
AwarenessRisk
Assessment

WHAT IS A CONTROL?
*Source: ITGI, COBIT 4.1
Control is defined as the policies, procedures, practices and
organizational structures designed to provide reasonable
assurance that business objectives will be achieved and
undesired events will be prevented or detected and corrected.

WHAT IS A FRAMEWORK?
A framework is a set of controls and/or guidance organized
in categories, focused on a particular topic.
A framework is a structure upon which to build strategy,
reach objectives and monitor performance.

WHY USE A FRAMEWORK?
• Enable effective governance
• Align with business goals
• Standardize process and approach
• Enable structured audit and/or assessment
• Control cost
• Comply with external requirements

FRAMEWORKS AND CONTROL SETS
• ISO 27001/27002
• COBIT
• ITIL
• NIST
• Industry-specific – i.e. PCI
• Custom

ISO 27001/27002
• Information Security Framework
• Requirements and guidelines for development of an ISMS
(Information Security Management System)
• Risk Management a key component of ISMS
• Part of ISO 27000 Series of security standards

ISO 27001 – MGMT FRAMEWORK
▪ Information Security Management Systems –
Requirements (ISMS)
▪ Process approach
▪ Understand organization’s information security requirements
and the need to establish policy
▪ Implement and operate controls to manage risk, in context of
business risk
▪ Monitor and review
▪ Continuous improvement

THE KEY CONTROL CLAUSES IN ANNEX A OF ISO /IEC
27001:2013

BUILDING A FRAMEWORK
Risk
Assessment &
Treatment Security
Policy
Organizing
Information
Security
Asset
Management
Human
Resources
Security
Physical and
Environmental
SecurityCommunications
and Operations
Management
Access
Control
IS Acquisition,
Development and
Maintenance
Information
Security Incident
Management
Business
Continuity
Management
Compliance
Operational
Controls
Technical
Controls
Management
Controls
Protected Information
ISO 27002: Code of Practice for
Information Security Management

FRAMEWORKS COMPARISON
Framework Strengths Focus
COBIT Strong mappings
Support of ISACA
Availability
IT Governance
Audit
ISO 27001/27002 Global Acceptance
Certification
Information Security Management
System
ITIL IT Service Management
Certification
IT Service Management
NIST 800-53 Detailed, granular
Tiered controls
Free
Information Systems
FISMA
PCI DSS Card Industry Specific IT Controls to protect Card holder
Information

What is PCI Compliance?
 Definition – Payment Card Industry Data
Security Standard (PCI-DSS)
 Set up in 2004 by Visa, MasterCard,
American Express, Discover, and JCB to
reduce the risk of credit card theft and
transfer liability to merchants
 Requires mandatory adoption by all
businesses that store, process, or
transmit credit/debit card data
6Control Objectives
6Control Objectives
12Core Requirements
280+Audit
Procedures

12 RULES OF PCI DSS COMPLIANCE
NEW VENTURES - PAYMENTS
Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall configuration to protect cardholder data
Requirement 2 Do not use vendor supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
Requirement 4 Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update anti-virus software or programs
Requirement 6 Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7 Restrict access to cardholder data by business need to know
Requirement 8 Assign a unique ID to each person with computer access
Requirement 9 Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 11 Track and monitor all access to network resources and cardholder data
Requirement 11 Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12 Maintain a policy that addresses information security for all personnel.

PCI INTENT - IN ONE SENTENCE…
Protect card holder data (CHD) from inappropriate
disclosure

CHD – IT GETS EVERYWHERE!!!!
Just a few places where
we have found CHD !

COMMON CHALLENGES TO ACHIEVE PCI COMPLIANCE
• Fully understand and document the processes and payment environment
• Tracking and monitoring of access to payments card systems and data
• Controlling logical access (authentication) to systems containing payment card data
• Security event monitoring across a disparate environment
• Limited security capabilities (authentication, monitoring, etc…) of legacy systems
• Remediation of controls across large (often legacy) distributed environments
• Encryption of payment card data
• Putting PCI contractual language in place for third party service providers
• Obtaining management support to perform remediation

BENEFITS OF COMPLIANCE
• Protect customers’ personal data
• Boost customer confidence through a higher level of data
security
• Lower exposure to financial losses and remediation costs
• Maintain customer trust and safeguard the reputation of the
brand
• Provide a complete “health check” for any business that stores
or transmit customer information

AUDIT AND REMEDIATE
Partners/
Customers
Regulations Control
Framework
Assessments
Policy
and
Awareness
Audits
Treat
Risks
Risk
Assessment

ORGANIZATION EXAMPLE
Internal
Audit
COBIT
ITIL
IT Service Desk
ISO 27001/27002
CMMi
Software Delivery

CONTROLS ALIGNMENT
How aligned are your controls?
Assessment
(Information Security, IT
Risk Management)
Internal Audit
(IT/Financial Audit)
External Audit
(Regulatory and Non-
Regulatory)

REMEDIATION PRIORITIES
• Where are our greatest risks?
• What controls are we fulfilling?
• How many compliance requirements are we solving?

IMPROVE AND AUTOMATE
Partners/
Customers
Regulations Control
Framework
Assessments
Policy
and
Awareness
Audits
Treat
Risks
Improve
Controls
Automate
Process
Risk
Assessment

CONTROLS HIERARCHY
Manual
Require human intervention Vs.
Automated
Rely on computers to reduce human
intervention
Detective Preventive
Designed to search for and identify
errors after they have occurred
Designed to discourage or preempt
errors or irregularities from
occurring
Vs.

AUTOMATED AND PREVENTIVE
Logging and Monitoring
Not Efficient Efficient
Reviewing logs for incidents An automated method of
detecting incidents
Not Effective Effective
Missing the incident due to human
error
Preventing the incident from
occurring in the first place

AUTOMATE THE PROCESS
• How do you currently measure compliance?
• Reduce documents, spreadsheets and other forms of manual
measurement
• Create dashboard approach
• Governance, Risk and Compliance toolsets

GRC AUTOMATION
Enterprise
Multi-Function
Single Function
•Enterprise Scope
•Highly Configurable
•Multiple Functions (Risk,
Compliance, Policy)
•Sophisticated Workflow
•Functionality More Limited
•More “out of the box”
•Modest Workflow
•Specific Process
•Specific Standard or Regulation
•Simple Workflow

CUSTOM DEFENSE :
TARGETED ATTACKS AND
ADVANCED THREATS &
VULNERABILITY PROTECTION
Confidential | Copyright 2013 Trend Micro Inc.

Advanced
Targeted Threats
Empowered
Employees
De-Perimeterization
Virtualization, Cloud,
Consumerization & Mobility
TODAY, TRADITIONAL SECURITY IS
INSUFFICIENT
Source: Forrester
i.e., Stuxnet, Epsilon,
Aurora, Mariposa, Zeus,
Sony PlayStation, etc.
& Wikileaks
Trend Micro evaluations find over 90% of enterprise networks
contain active malicious malware!

THE NEED FOR REAL-TIME RISK
MANAGEMENT
SOURCE: VERIZON 2011 DATA BREACH REPORT
1/3 of infections result in compromise within minutes, but
most are not discovered or contained for weeks or months!

ANALYSTS AND INFLUENCERS URGE
ACTION
 “Zero-Trust” security model
 Use of Network Analysis and Visibility Tools
 “Lean Forward” proactive security strategy
 Use of Network Threat Monitoring Tools
 “Real-Time Risk Management”
 Use of Threat Monitoring Intelligence
 US Federal Risk Management Framework
 Calls for “Continuous Monitoring”

A Typical Targeted Attack
Intelligence Gathering
Identify & research target individuals using
public sources (LinkedIn, Facebook, etc) and prepare
a customized attack.
1
Point of Entry
The initial compromise is typically from zero-day malware
delivered via social engineering (email/IM or drive by
download). A backdoor is created and the network can now
be infiltrated. (Alternatively, a web site exploitation
or direct network hack may be employed.)
2
Command & Control (C&C) Communication
Allows the attacker to instruct and control the compromised
machines and malware used for all subsequent phases.
3
Lateral Movement
Once inside the network, attacker compromises additional
machines to harvest credentials, escalate privilege levels
and maintain persistent control.
4
Asset/Data Discovery
Several techniques (ex. Port scanning) are used to identify
the noteworthy servers and the services that house the
data of interest.
5
Data Exfiltration
Once sensitive information is gathered, the data is
funneled to an internal staging server where it is chunked,
compressed and often encrypted for transmission
to external locations.
6

HOW LONG DO TARGETED ATTACKS / APTS STAY HIDDEN?
Most companies are breached in minutes but it is not
discovered for months!
Source: Verizon Data Breach Investigations Report 20121
1Confidential | Copyright
2012 Trend Micro Inc.
Average time from
compromise to discovery
is 210 days

APTS MOST COMMONLY START WITH A
SPEAR PHISHING EMAIL WITH AN
ATTACHMENT

Antivirus
Compare malicious
binary files and
attachments, like the
‘copy.docx’ file
to known virus
signatures
Sender Reputation
Block email from known
suspected spammers, like
readjustedha6@12481b
matter.com

Lexical Analysis
Analyze word
combinations &
patterns commonly
found in spam


Sender Reputation
Example@emailinfo.e
xample.com is not
known for sending out
spam
X
Antivirus
Script-based attack; no
known signatures or
history of similar
attacks
Lexical Analysis
No commonly used
word combinations
or patterns of spam
X
X

▪ Spread through direct
messages with “hidden video”
lure
▪ Utilizes obfuscation techniques
(re-direct)
▪ Steals account credentials
▪ “Missing Adobe” message
causes dropper file
▪ 23% detection rate by AV
engines
▪ Websense customers were
protected
EXAMPLE - SOCIAL MEDIA
115

117
• PII Continues
• Credit Cards
• Identification
• IP Theft Grew
• Government
• Commercial
Insider Threat
• Accidental
• Phishing
• Intentional
• Physical
• Electronic

"While traditional antivirus [vendors] may be able to spot and deflect many kinds of
attacks, they're not well-equipped to handle targeted attacks. But there are
technologies able to detect such attacks, if not entirely prevent them."

WHY CURRENT DEFENSES FAIL
3 FORWARD FACING ONLY,
LACK OUTBOUND
PROTECTION
Not data-aware, lack contextual
analysis, minimal to no forensic
visibility
2 LACK OF REAL-TIME
INLINE CONTENT ANALYSIS
Collect samples for lab analysis using
background processes
Producing new signatures (network/file)
and reputations (URL/file)
4 MORE OF THE SAME IN
NEW DEPLOYMENT OPTIONS
UTMs, NGFWs, IDSs, Network Threat
Monitors
SSL severely impacts performance,
or blind to it
1 PRIMARILY BASED ON
SIGNATURE & REPUTATION
History is not a reliable indicator of
future behavior.
Signature creation cannot keep up with
the dynamic creation of threats

Source: Asymco.com,

SECURITY FIRM - RSA ATTACKED
USING EXCEL FLASH
http://downloadsquad.switched.com/2011/04/06/security-firm-rsa-attacked-using-excel-flash-one-two-sucker-punc/

Trend Micro’s Custom Defense Solution

Custom Defense
Advanced Malware
Detection
Contextual
Threat Analysis
Automated
Security Updates
Command & Control
Detection
Attacker
Activity Detection
Threat Impact
Assessment
Enterprise
Network
EndpointsGateways
Third Party
Security
Information
Security
Email
Network

DEEP DISCOVERY
• Network traffic inspection
• Advanced threat detection
• Real-time analysis & reporting
Deep Discovery
Inspector
Deep Discovery
Analyzer
Deep Discovery provides the visibility, insight and control you
need to protect your company against APTs and targeted attacks
Targeted Attack/APT Detection
In-Depth Contextual Analysis
Rapid Containment & Response
• Custom scalable threat simulation
• Deep investigation & analysis
• Actionable intelligence & results

DEEP DISCOVERY INSPECTOR
• Network traffic inspection
• Advanced threat detection
• Real-time analysis & reporting
Network Inspection Platform
Network Visibility,
Analysis & Control
Deep Discovery Inspector
• Visualization
• Analysis
• Alarms
• Reporting
Network Inspection Platform
Threat
Detection
Virtual
Analyzer
Watch
List
Threat
Connect
SIEM
Connect

• Emails containing embedded
document exploits
• Drive-by downloads
• Zero-day & known malware
• C&C communication for all
malware: bots, downloaders,
data stealing, worms, blended…
• Backdoor activity by attacker
• Malware activity: propagation,
downloading , spamming, …
• Attacker activity: scan, brute
force, tool download , …
• Data exfiltration
Attack Detection
• Decode & decompress embedded files
• Sandbox simulation of suspicious files
• Browser exploit kit detection
• Malware scan (Signature & Heuristic)
• Destination analysis (URL, IP, domain,
email, IRC channel, …) via dynamic
blacklisting, white listing
• Smart Protection Network reputation
of all requested and embedded URLs
• Communication fingerprinting rules
• Rule-based heuristic analysis
• Identification and analysis of usage of
100’s of protocols & apps including
HTTP-based apps
• Behavior fingerprinting
Detection Methods
HOW DEEP DISCOVERY WORKS

DEEP DISCOVERY:
KEY FEATURES
• Deep content inspection
across 80+ of protocols
& applications
• Smart Protection Network reputation
and dynamic black listing
• Sandbox simulation and analysis
• Communication fingerprinting
• Multi-level rule-based event correlation
• And more… Driven by Trend Micro threat
researchers and billions of daily events
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
Suspect Communication
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
Attack Behavior
• Malware activity: propagation,
downloading, spamming . . .
• Attacker activity: scan, brute
force, tool downloads. . .
• Data exfiltration communication

Real-Time Inspection
Analyze
Deep Analysis
CorrelateSimulate
Actionable Intelligence
Threat
Connect
Watch List GeoPlotting
Alerts, Reports,
Evidence Gathering
130
Visibility
– Real-time Dashboards
Insight
– Risk-based Analysis
Action
– Remediation Intelligence
Identify Attack
Behavior
& Reduce False
Positives
Detect Malicious
Content and
Communication
Out of band network
data feed of all network
traffic

CUSTOM DEFENSE 2.0
Control Manager
OfficeScan InterScan
Messaging
Security
InterScan
Web
Deep Discovery
Inspector/
Analyzer
SPN Feedback
Company A
SPN Feedback
ScanMailEndpoint
Sensor
1. Suspicious object list
2. Suspicious objects list/Action/IOC
Deep
Security
Block IOC
IOC

INCREASED IT SECURITY PRIORITY:
VULNERABILITY AND THREAT
MANAGEMENT
Source: Forrsights Security Survey, Q3 2010
Since 2008, “Managing
vulnerabilities and threats” has
moved from #5 to #2
“Which of the following initiatives are likely to be your firm’s
top IT security priorities over the next 12 months?”

Announcing: Trend Micro Real-Time
Threat Management Solutions
• Detect, analyze and remediate advanced threats
• Investigate incident events and contain their impact
• Monitor and optimize security posture
• Manage vulnerabilities & proactive virtual patching
• Augment security staff & expertise
Network-Wide
Visibility and Control
Actionable
Threat Intelligence
Timely Vulnerability
Protection
Threat Management System
Dynamic Threat Analysis System
Threat Intelligence
Manager
Vulnerability Mgmt. Services
Deep Security Virtual Patching
Smart Protection Network Intelligence
Risk Management Services

TREND MICRO THREAT MANAGEMENT
SYSTEM
TMS is a Network Analysis and Visibility solution that
provides the real-time visibility, insight, and control to
protect your company from advanced persistent attacks
Network Threat
Detection &
Deterrence
Automated
Remediation
Malware Forensic
Analysis Platform
Multi-Level Reporting
Risk Management
Services Offering
Over 300 Enterprise & Government Customers WW

TMS: VISIBILITY – INSIGHT – CONTROL
DataCenter
APT Implanted
Via Web, Email, USB…
Threat Discovery
Appliance
Command &
Control Server
APT Communication Detected
Threat Mitigator
Additional Analysis
Detailed Reports:
• Incident Analysis
• Executive Summary
• Root-cause Analysis
• Signature-free clean up
• Root-cause analysis
Threat Confirmed

DETECTION CAPABILITIES
New – DTAS Sandbox Detection Engine
New – Document Exploit Engine
• Multiple unique threat engines
• 24 hour event correlation
• Continually updated threat
relevance rules
• Data loss detection
• Tracks unauthorized app usage and
malicious destinations
• Powered by Smart Protection
Network and dedicated Trend
researchers
Best Detection Rates
Lowest False Positives
Real-Time Impact

TMS + Dynamic Threat Analysis System
• Sandbox execution
• Malware actions &
events
• Malicious destinations
• C&C Servers contacted
• Exportable reports &
PCAP files
• Backend integration
into TMS reporting &
Mitigator
Integrated malware execution and forensic analysis
Threat Discovery
Appliance
Direct File
Submission
Other Trend
Products

TREND MICRO THREAT INTELLIGENCE
MANAGER
Delivers threat intelligence and impact analysis needed
to identify and reduce exposure to advanced threats.
Incident Analysis and
Security Posture
Monitoring
Real-Time Threat
Analysis and
Visualization
Provide Actionable
Intelligence for active
threats
Visualize event
relationships in an
attack
Office Scan
Incident Discovery
Threat Discovery Appliance
Suspicious Network BehaviorThreat Intelligence
Manager
Threat Analysis and
Response
Consolidates threat events and uses advanced visualization
and intelligence to uncover the hidden threats!
Deep Security
System Integrity

CUSTOMIZABLE DASHBOARD
Access and visualization by role and responsibility

Threat Intelligence Manager
Endpoints
Network
Servers
• Multi-point detection
• Validation
• Threat Analysis
• Impact Assessment
• Automated Remediation
• Pro-active Protection
Real-Time Threat Management
In Action

NEW RISK MANAGEMENT SERVICES
▪ Proactive monitoring and alerting
▪ Threat analysis and advisory
▪ Threat remediation assistance
▪ Risk posture review and analysis
▪ Strategic security planning
Augment stretched IT security staff
Put Trend Micro Threat Researchers
and Service Specialists on your team
A complete portfolio
designed to further reduce
risk exposure and security
management costs
Increase IT security responsiveness
and expertise

WHY TREND MICRO?
Trend Micro is the only vendor providing integrated
real-time protection and risk management against
advanced targeted threats.
Network-Wide
Visibility and Control
Actionable
Threat Intelligence
Timely Vulnerability
Protection
Threat Intelligence
Manager
Vulnerability Mgmt. Services
Deep Security Virtual Patching
Smart Protection Network Intelligence
Risk Management Services
“Trend Micro has always impressed me with its understanding of
what its customers are going through and this reiterates it again.”
Richard Stiennon, IT-Harvest

THE VIRTUAL PATCHING SOLUTION
▪ Close window of vulnerability for
critical systems and applications
▪ Protect “unpatchable” systems
▪ Meet 30-day PCI patch requirement
Risk Mgt & Compliance
• Reduce patch cycle frequency
• Avoid ad-hoc patching
• Minimize system downtime
Operational Impact
Trend Micro Security Center provides
Virtual Patches within
hours of vulnerability disclosure
•Automated centralized distribution
•Protection available:
•Deep Security product module
•With OfficeScan IDF plugin
Automated
Monitoring Application
Analysis
Filter “Patch”
Development
Protection
DeliveryTrend Micro
Security Center Physical / Virtual / Cloud
Servers
Endpoints
& Devices

VULNERABILITY MANAGEMENT
SYSTEM▪ Vulnerability scanning
▪ Vulnerability scanning of internal and external
devices
▪ Patch and configuration recommendations
▪ Web application scanning
▪ Web site crawler to detect application design
vulnerabilities like SQL injection and cross-site
scripting etc.
▪ PCI compliant scanning
▪ Vulnerability scanning with reports for PCI
▪ Trend is an Approved Scanning Vendor
▪ Policy compliance
▪ Define and track compliance with device security
policies
▪ SaaS based management portal
▪ Hosted scans of external devices
▪ On-premise appliance for scanning internal
devices managed from SaaS portal
▪ On-demand scan
144

ADVANCED VISUALIZATION & IMPACT ANALYSIS
Visualize the relationship between cause and effect of each
threat event, and fully understand the impact

Jan 2011 results of testing conducted by AV-Test.org (qualified for internal use)
Results from T+60 test
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
100.0%
63.0%
70.5%
77.0%
61.5%
Total Percentage of threats blocked by all layers:
Exposure, Infection, Dynamic
Trend Micro OfficeScan McAfee VirusScan Microsoft Forefront
Sophos Endpoint Security Symantec Endpoint Protection
TREND MICRO SMART PROTECTION
NETWORK

http://us.trendmicro.com/us/trendwatch/core-technologies/competitive-benchmarks/nss-labs/index.html?cm_re=HP:Sub:1-_-CORP-_-
NSSlabs02
NETWORK

Industry-proven real-world protection
Note: If multiple products from one vendor were
evaluated, then vendor’s best performance is listed.
*1：http://www.nsslabs.com/research/endpoint-security/anti-malware/
*2：http://us.trendmicro.com/us/trendwatch/core-technologies/competitive-benchmarks/index.html
*3：http://www.dennistechnologylabs.com/reports/s/a-m/trendmicro/PCVP2010-TM.pdf
(Dec. Test performed for Computer Shopper UK)
*4 : http://www.av-comparatives.org/images/stories/test/dyn/stats/index.html
NETWORK

Interactive drill-down dashboards
• Navigate across corporate groups
• Pin-point infected sources
• Perform root-cause analysis
• Track suspicious user behavior and
application usage
• Detect leakage of regulated data
• Customizable event alarms
• Multi-level reporting for managers
and executives
• Available on-premise or hosted
THREAT MANAGEMENT PORTAL
Coming 2H 2011
• Improved drill down capability
• Sandbox analysis workbench

THREAT MITIGATOR TECHNOLOGY:
ROOT-CAUSE AND SIGNATURE-FREE
CLEANUP
 Cleanup request
received
 Check forensic logs
 Locate which process
performed malicious activity
 Remove malware
process, file and registry
entries
 Locate and remove
parent malware
 Locate and remove child
malware
 In case of failure, a
custom cleanup kit is
automatically generated
by Trend

RISK MANAGEMENT SERVICES
Bronze
Services
Silver
Services
Gold
Services
Diamond
Services
• On-demand advisory
services
• On-demand
remediation services
• Priority event alerting
• 8X5 access
• Product installation
and configuration
• Bronze package
plus…
• Weekly report reviews
& advisory
• Monthly status;
Quarterly reviews
• 24X7 access for
urgent issues
• Silver package plus…
• Daily report reviews &
advisory
• Customized security
planning
• Annual assessment
and training
• Gold package plus…
• Daily monitoring &
communication
• Complete tailored
services delivery
• Dedicated Technical
Account Manager
A component of Trend Micro Technical Account Management Services

Global Security
& Logistics Co.
OVER 300 ENTERPRISE AND GOVERNMENT
CUSTOMERS FOR TREND MICRO

National Housing Development Company
Partial List of Management System Training & Consulting
Clients
KEY CUSTOMERS

HOW WE CAN HELP YOU IN YOUR JOURNEY

▪ VAPT/IT Infra GAP Analysis
▪ Process Consulting (ISMS, ITSM, COBIT, PCI-DSS)
▪ Gateway Security, End Point Security, Anti-APT
Solution
▪ Security and Process Based Skill Development
Programs

Questions?

Mobile : +91 98300 17040, +91 90624 67427
Email : smukherjee@primeinfoserv.com , info@primeinfoserv.com
, sales@primeinfoserv.com
Web : www.primeinfoserv.com
PRIME INFOSERV LLP
(AN ISO 9001:2008 AND 27001:2013 CERTIFIED ENTERPRISE)
DL-124, 1st Floor, Salt Lake, Sector – II, Kolkata – 700091, India
Phone : +91 33 6526 0279, +91 33 4008 5677, +91 78900 19076, +91 84200 56620
CONTACT US

Infocon Bangladesh 2016

More Related Content

What's hot

Viewers also liked

Similar to Infocon Bangladesh 2016

More from Prime Infoserv

Recently uploaded

Infocon Bangladesh 2016