1 introduction welcome! format of day response to previous requests from clients amendment to...
TRANSCRIPT
1
Introduction
• Welcome!
• Format of day
• Response to previous requests from clients
• Amendment to schedule
Using Information Security for Business Advantage
3
What will we achieve?
• Help you gain organisational commitment and justify required spend
• Introduction• Part 1 - Visualisation techniques• Part 2 - Communication techniques• Part 3 - Supporting frameworks
Using Information Security for Business Advantage
4
Introduction
• Communicating security risk can be very hard in environments without structured metrics
• The classic chicken and egg scenario
• We did not want to concentrate on the
is there/isn’t there argument for ROI.
5
Problems
• Senior Management and Board directors need to increase shareholder value
• Mature metrics makes it easy to communicate shareholder value based risk
• Associating technical risks with revenue is impossible without a business context
• Information security managers with IT backgrounds find it hard to communicate risk at a business level
• The business seldom understands the value of its information assets
7
Part 1 – Protecting Traditional Assets
(Opening the Board’s Eyes to Information Security Spend – Is information security spending in line with traditional asset protection?)
Using Information Security for Business Advantage
8
Questions your Board may be asking
• Why do we need to worry about this information security issue?• Why is Malware Protection so expensive?• Are these costs of doing business online justified?• I don’t understand whether this expenditure is justified
• The following examples have been developed to demonstrate how security is integrated seamlessly into existing business models
• Try to ignore any immediate reaction to industry sector!
Using Information Security for Business Advantage
9 Using Information Security for Business Advantage
Typical Retail Organisation (Asset Protection)
Shops
Warehouse / Distribution
Human Resources
Finance
CCTV
Counterfeit Detection
Store Detectives
Security Guards
RFID
Safes / Alarms
Secure Cash Handling
Vetting / References
Disciplinary Procedure
Internal Audit
External Audit
Stock Control
Credit Control
Accounting Policies / Standards
Financial Reconciliations
Product Integrity*
* For example: tamper evident jars
Cardwatch
Local Crime Schemes
10
Typical Retail Organisation (Asset Protection)
Using Information Security for Business Advantage
Shops
Warehouse / Distribution
Human Resources
Finance
CCTV
Counterfeit Detection
Store Detectives
Security Guards
RFID
Safes / Alarms
Secure Cash Handling
Vetting / References
Disciplinary Procedure
Internal Audit
External Audit
Stock Control
Credit Control
Accounting Policies / Standards
Financial Reconciliations
Product Integrity*
* For example: tamper evident jars
Cardwatch
Local Crime Schemes
11
Typical E-Retail (Information Asset Protection)
Using Information Security for Business AdvantageUsing Information Security for Business Advantage
Ecommerce Site
Data Storage
Business Interfaces
IT/IS/DevelopmentAnti-Virus
Firewalls
Encryption
Security in SDLC
Threat Modelling
Build Standards
Information Security Policies
Legislative Compliance
Configuration Reviews
Patch Management
Access Control Reviews
Application Testing
Penetration Testing
Monitoring / Intrusion Detection
Vulnerability Assessment
Vetting / References
Disciplinary Procedure
InfoSec Awareness Training
12
In Summary
• Information asset protection still lags behind traditional asset protection
• Opening the organisation’s eyes to traditional security measures can ‘set the scene’ to introduce information security
• A simple visualisation technique helps soften attitudes to information security spend
Using Information Security for Business Advantage
13
Part 2 – A model for information asset identification and classification
Using Information Security for Business Advantage
14
Part 2 - Communication of risk
• High level abstract link…
• How best to communicate the risk from this point forward
• Need to highlight risks that may impact shareholder value
• Must be flexible and expose risks not currently perceived
• One technique is threat modelling…plenty of others however
Using Information Security for Business Advantage
15
Risk – A quick reminder
An event that could have a detrimental effect on an asset
A conduit that could be exploited by a threat
An item of value
The effect on a business of a risk being realised
BUSINESS IMPACT
Asset
Threats Vulnerability
Risks
16
What is threat modelling
• Threat Modelling:
• Grades Threats
• Allows identification of vulnerabilities
• Enhances the final calculation of risk
• Very powerful and business focussed
Using Information Security for Business Advantage
17 Using Information Security for Business Advantage
What it can provide:
• Defence in depth
• Effective controls with efficient expenditure
• Asset protection is proportional to the business value
• Greater measurable returns on security investment
18
Case Study – Insurance Company
• In excess of 600 systems
• Business run in a federated sense
• There is/was no centralised security management function,
• Some security testing in the past against core systems
• No set budget for security
• Some basic security training, around physical security and access control
Using Information Security for Business Advantage
19
How the model was formed..
• identified the systems and the assets,
• a high level risk assessment based on the business risk and potential business impact
• Assignation of a commercial revenue value to each system
Using Information Security for Business Advantage
20
How the model was formed.. cont
• All revenue streams documented
• the most important systems quickly became evident,
• Allowed focus on the most financially important assets
• Intangible assets were also assessed (reputation, client satisfaction, employee
happiness etc.).
21
What did this do?
• This made an actual and tangible link to the management team connecting the
value of the information assets (within systems) with the value of assigned
security spend to identify and manage the risk
• It open their eyes to the asset value, and made justification of budget almost
self fulfilling
22 Using Information Security for Business Advantage
Part 3 – Effecting Change(Operational Information Security)
23
Where are we?
Using Information Security for Business Advantage
Information Assets
Threats Vulnerabilities Risks=
Existing Controls
Current Position=+
24
What is the appetite for risk?
Using Information Security for Business Advantage
Current PositionWhere we want
to be- =
STAGE 1Organisational
Changes
25
Stage 1 – Organisational Change
• What is required for successful organisational change
• Change Plan – how will we know when we arrive?
• Resources – do we have the resources to achieve the change?
• Sponsorship – do we have executives backing for change?
• Support (Culture) – important if exec sponsorship is broken?
Using Information Security for Business Advantage
26
Stage 2 - Operation
• Measure performance (results not activities)
• Make changes as necessary
• Periodically review performance
• Review measures
Using Information Security for Business Advantage
27
Summary
Your organisation is protecting its
assets, but probably not adequately
protecting its information assets
The risks may be different from the perceived risks.
Communicate this by identifying
assets and the threats to them
You can only manage what your measure. Identify
the changes necessary,
measure transition
Using Information Security for Business Advantage