defending the digital frontier - securely yours llc

Defending the Digital FrontierDefending the Digital Frontier

Rudy Giuliani’s Call to ActionRudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided

The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided

2

mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.

mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.

Digital Security Breach:The True CostDigital Security Breach:The True Cost

Cost$15 to $20 million

or 1% to 1.5% of Sales per Incident

TangibleLossesTangibleLosses

IntangibleLosses

IntangibleLosses

3

LossesLosses LossesLosses

• Lost Productivity• IT Support Costs• IT systems/software

• Damage to Brand• Third party liability• Loss of customer/

supplier confidence

The greatest loss as a result of an IT security breach is the intangible impact

The greatest loss as a result of an IT security breach is the intangible impact

Security drivers in Today’s complex environmentSecurity drivers in Today’s complex environment

Eco

no

mic D

rivers

HIPAAGLBSarbanes OxleyPatriot ActHomeland Security Act

ROIRiskProfits

Homeland SecurityShareholder ValueProductivity

BS7799CBCPCISSP

4

Industry/Regulatory GroupsIndustry/Regulatory Groups StandardsStandards

Co

mp

lex

Tech

no

log

ies

ISO 17799ITILSANS/GIAC

Security ManagementNetwork ManagementOperational IntegrityManaged Security Services

AuthenticationAuthorizationAdministrationEncryptionFirewall/VPN

BAIDOCDOTFDICFederal ReserveFEIFFIEC

FSISACInfraguardISACAISF

ISSANCUANIST

Multiple Drivers Are Bringing Digital Security to the BoardroomMultiple Drivers Are Bringing Digital Security to the Boardroom

Privacy/Fraud(CA1386, GLB, HIPAA)

Homeland Defense(Homeland Security Act, USA Patriot Act)

Triple Witching Event

5

Sarbanes-Oxley

IT Executives are increasingly focused on controlsIT Executives are increasingly focused on controls

ImprovingFunction

ImprovingFunction

ImprovingControl

ImprovingControl

HIPAA

Sarbanes-Oxley

Homeland Security

6

• Feature• Productivity• Reliability

• Security• Predictability• Stability

Technical Advances & Increasing Regulation

What is the Digital Frontier?What is the Digital Frontier?

The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.

The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.

HighHigh

ProductivityProductivityMobileMobile

7

Relianceon IT

Relianceon IT

LowLowLowLow HighHighIT UsageIT Usage

ProductivityImprovementProductivityImprovement

MobileMobile

InternetInternet

Client/ServerClient/Server

1970s1970s 1980s1980s 1990s1990s 2000s2000s

MFMF

Increase Security RisksIncrease Security Risks

As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.

As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.

HighHigh

MobileMobile

8

LowLowLowLow HighHigh

1970s1970s 1980s1980s 1990s1990s 2000s2000s

MobileMobile

InternetInternet

Client/ServerClient/Server

MFMF

Impact of Failure

Impact of Failure

Increased Risk

Increased Risk

Probability of Failure


The Security FrontierThe Security Frontier

ProductivityImprovement/Productivity

Improvement/

HighHigh

The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.

9

Improvement/Increased RiskImprovement/Increased RiskReliance on IT

Impact of FailureReliance on IT

Impact of Failure

LowLowLowLow HighHighIT Usage

Probability of FailureIT Usage


1970s1970s 1980s1980s 1990s1990s 2000s2000s

The Digital Security GapThe Digital Security Gap

Caught up in the pursuit of productivity improvements, management apparently overlooked security.Caught up in the pursuit of productivity improvements, management apparently overlooked security.

HighHigh

Digital

10

TotalSpending

TotalSpending

LowLow

1990’s1990’s 2000’s2000’sTimeTime

DigitalSecurity

Gap

6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics

11

1) Aligned1) Aligned

BusinessObjectivesBusiness

Objectives

DigitalAssetsDigitalAssets A

lignedA

ligned

The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.

The distance between the top levels of management and the

12

ITOrganization

ITOrganization

DigitalSecurityDigital

Security

Aligned

Aligned

levels of management and the security team is known as theSecurity Management GapSecurity Management GapSecurity Management GapSecurity Management Gap....

79% of respondents in the 2002 Ernst & Young Digital

Security Overview survey indicated that the

documentation, implementation, and follow-through cycle

for their information security policies was not being carried

out completely.

2) Enterprise-Wide2) Enterprise-Wide

CorporateCorporate

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authorityauthorityauthorityauthority is given to a centralized body to ensure consistently highly

13

CorporateCorporateensure consistently highly effective security throughout the organization.

86% of companies surveyed have intrusion

detection systems in place. However, of those

companies, only 35% actively monitor 95% to

100% of their critical servers for intrusions.

3) Continuous3) Continuous

Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.

46% of respondents indicated that they use manual

Not occasionally. Not periodically.

Continuously.Continuously.

14

46% of respondents indicated that they use manual

or partially automated methods of tracking physical

assets as opposed to fully automated methods.

Continuously.Continuously.

4) Proactive4) Proactive

Initial AssessmentInitial AssessmentOngoing MonitoringOngoing Monitoring

Periodic AssessmentPeriodic Assessment

HighHigh

RiskIntelligence

RiskIntelligence

ProactiveProactive

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.

15

IntelligenceIntelligence

LowLowTimeTime

TraditionalTraditionalOnly 16% percent of respondents have

wide-scale deployment of vulnerability

tracking mechanism, and knowledge of all

critical information vulnerabilities.

5) Validated5) Validated

PeerPeer

3rd Party3rd Party

SelfSelf

ValidatedValidated

TestedTested

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

16

To a UnitTo a Unit

To a Business Objective

To a Business Objective

To a Standard

To a Standard

Rigor of ValidationRigor of Validation

DeployedDeployed66% of respondents indicated that their

information security policies are not in complete

compliance with the domains defined by ISO

17799, CISSP, Common Criteria, or other

recognized models.

6) Formal6) Formal

Doc

umen

ted

Doc

umen

ted

Min

imal

lyM

inim

ally

Hig

hly

Hig

hly

Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every

17

Doc

umen

ted

Doc

umen

ted

MinimallyMinimally HighlyHighlyConfirmedConfirmed

Min

imal

lyM

inim

ally

then communicated to every member of the organization.

13% of respondents have integrated

business continuity and disaster recovery

plans that address recovering the entire

enterprise. 7% indicated they have no

documented plans in place.

Technology and Business Objective Drives RequirementsTechnology and Business Objective Drives Requirements

ImpactImpact

HighHighSecurity Requirements ZonesSecurity Requirements Zones

Managed Risk ZoneManaged Risk Zone

Trusted System ZoneTrusted System Zone

Bank ATMBank ATM Health CareSystem

Health CareSystem Financial

SystemFinancialSystem

ElectricalElectrical

18

ImpactImpact

LowLow

LowLow HighHighProbability of FailureProbability of Failure

Minimum Standards Zone

InformationKiosk

ElectricalPower

ElectricalPower

eCommerceSystem

eCommerceSystem

PublicWeb Server

PublicWeb Server

EmailServerEmailServer

The Security AgendaThe Security AgendaThe Security AgendaThe Security Agenda

19

9 Strategic Areas of “The Security Agenda”9 Strategic Areas of “The Security Agenda”

SecuritySecurity

Policies, Standards, & Guidelines

Intrusion & Virus Detection

Incident Response

Physical Security



Incident Response

Physical Security

Asset & Service Management

Vulnerability Management

Entitlement Management

Asset & Service Management



20

SecurityStrategySecurityStrategy

Physical Security

Privacy

Physical Security

Privacy

Business ContinuityBusiness Continuity

Complex Organizational TransformationComplex Organizational Transformation

All 3 Components

21

TECHNOLOGYTECHNOLOGY

Components Needed

Intrusion

and Virus

Intrusion

and Virus

DatabaseDatabase

RouterRouterBiometricsBiometrics

ApplicationApplication

Operating

System

Operating

System

Intrusion and Virus DetectionIntrusion and Virus Detection

22

and Virus

Detection

and Virus

Detection

RouterRouter

FirewallFirewall

Web

Server

Web

Server

SNMPSNMP

BiometricsBiometrics

IncidentResponseIncident

ResponseMobilize AdministerEventEvent ProgramProgram

Incident ResponseIncident Response

23

ResponseProgram

ResponseProgram

Mobilize AdministerEvent

Lifecycle

Event

Lifecycle

Program

Lifecycle

Program

Lifecycle

Ongoing MonitoringRe-certification

Ongoing MonitoringRe-certification

Stakeholder Expectations

Legislation Organization

Stakeholder Expectations

Legislation Organization

Benchmarking/RoadmapsPeoplePolicies

OperationsTechnology

Benchmarking/RoadmapsPeoplePolicies

OperationsTechnology

MAINTAINMAINTAINBASELINEBASELINE

PrivacyPrivacy

24

Independent VerificationService Provider ComplianceData Registration

Independent VerificationService Provider ComplianceData Registration

Remediation Plans Training

Remediation Plans Training

VERIFYVERIFY

IMPROVEIMPROVE

DIAGNOSEDIAGNOSE

Policies, StandardsPolicies,

Standards

Policies, Standards, and GuidelinesPolicies, Standards, and Guidelines

25

Standardsand Guidelines

Standardsand Guidelines

Physical SecurityPhysical Security

PHYSICALSECURITY

26

SECURITY

Fences, Walls, GatesGuards, Cameras

Structural

Management and Track Assets

Automate Processes

ASSETASSET

Asset & Service ManagementAsset & Service Management

27

TECHNOLOGYTECHNOLOGY

ASSET

MANAGEMENT

ASSET

MANAGEMENT

CFOTeamCFOTeam

IT AuditTeam

IT AuditTeam

AccountabilityAccountability

DeploymentDeployment

KnowledgeKnowledge

KeyAssetsTeam

KeyAssetsTeam

KeyAssetsTeam

KeyAssetsTeam

Compliance Audit Ability

Governance and Accountability

Compliance Audit Ability

Governance and Accountability

All CriticalInfrastructureAll CriticalInfrastructure

Workflow/TrackingFeasible DeploymentKnow Critical Assets

Workflow/TrackingFeasible DeploymentKnow Critical Assets

Serve andProtect SystemsServe andProtect Systems

Vulnerability ManagementVulnerability Management

28

IT ProcessIT Process

Expanding controlExpanding control

CIOTeamCIO

Team

SecurityTeam

SecurityTeam

KnowledgeKnowledge

Expanding scope over critical infrastructureExpanding scope over critical infrastructure

Technology & PeopleTechnology & People

KeyAssetsTeam

KeyAssetsTeam

SecuritySystems

Team

SecuritySystems

Team

KeyAssetsTeam

KeyAssetsTeam

ConfigurationsPolicies

Alerts

ConfigurationsPolicies

Alerts

JustProtectSystems

JustProtectSystems

EntitlementEntitlement

Identity

Management

Identity

Management

Access

Management

Access

Management

Secure PortalsSecure Portals Single Sign-OnSingle Sign-On

Entitlement ManagementEntitlement Management

29

Entitlement

Management

Entitlement

ManagementSecure Portals

Data Model

Metadirectory

Authentication Management

Secure Portals

Data Model

Metadirectory

Authentication Management

Single Sign-On

Access Control

User Management

Policy Management

Single Sign-On

Access Control

User Management

Policy Management

Business

Continuity

Roadmap

Business

Continuity

Roadmap

Business

Impact

Assessment

Business

Impact

Assessment

Threat

and Risk

Threat

and Risk Recovery

Strategies

Recovery

Strategies

Business ContinuityBusiness Continuity

30

and Risk

Assessment

and Risk

Assessment StrategiesStrategies

Business

Continuity

Plan

Business

Continuity

Plan

Plan

Maintenance

Program

Plan

Maintenance

Program

A Scorecard for Evaluation & ActionA Scorecard for Evaluation & Action



Incident Response

Physical Security



Incident Response

Physical Security

31

Privacy Asset & Service

Management



Business Continuity

Privacy Asset & Service

Management



Business Continuity

High RiskHigh Risk Medium RiskMedium Risk Low Risk

Service ManagementService Management

C E OC E O

Public, Media,Government Relations

Public, Media,Government Relations Security CommitteeSecurity Committee

Security OfficerSecurity OfficerAsset ManagementAsset ManagementPhysical SecurityPhysical Security

Continuity PlanningContinuity Planning

Privacy OfficerPrivacy Officer

Security Organizational FrameworkSecurity Organizational Framework

32

PlanningPlanning ArchitectureArchitecture OperationsOperations MonitoringMonitoring

� Business Requirements� Education� Formal Communications� Governance� Policies� Project Management� Risk Assessment

� Requests for Proposals (RFP)

� Standards & Guidelines� Technical

Requirements/Design� Technical Security

Architecture� Technology Solutions

� Incident Response� Access Control/ Account

Management� Investigations� Standards/Solutions

Deployment� Training & Awareness� Vulnerability Management

� Auditing� Reporting� Systems Monitoring� Security Testing

The Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for Success

33

Executive management must understand Executive management must understand

�Scenario-based simulations – Table-Top Exercises

�The organizations response

�Critical roles and responsibilities

�Scenario-based simulations – Table-Top Exercises

�The organizations response


34


�Actions plans to minimize the effect of an incident

�Monitor and test responses


�Actions plans to minimize the effect of an incident

�Monitor and test responses

Model and Define RiskEstablish consistent threat categories

Model and Define RiskEstablish consistent threat categories

Digital Impact/RiskDigital Impact/RiskDigital Impact/RiskDigital Impact/Risk

Risk toRisk to

Customer SegmentCustomer Segment

Risk toRisk to

Customer SegmentCustomer Segment

Risk to MultipleRisk to Multiple

CustomersCustomers

Risk to MultipleRisk to Multiple

CustomersCustomers

Dept. of Homeland

Security Risk

Dept. of Homeland

Security Risk

SevereSevere

HighHigh

35

CustomersCustomersCustomersCustomers

Chronic or SeriesChronic or Series

of Inefficienciesof Inefficiencies

Chronic or SeriesChronic or Series

of Inefficienciesof Inefficiencies

Core Process orCore Process or

System ShutdownSystem Shutdown

Core Process orCore Process or

System ShutdownSystem Shutdown

TacticalTactical

InefficienciesInefficiencies

TacticalTactical

InefficienciesInefficiencies

Elevated

GuardedGuarded

LowLow

HighHigh

Impact of OccurrenceImpact of Occurrence

Understand Risk Posture CurveUnderstand Risk Posture Curve

� Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization

� You risk posture

� Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization

� You risk posture

36

Frequency of OccurrenceFrequency of Occurrence


OccurrenceOccurrence � You risk posture changes as the environment and technology changes

� You risk posture changes as the environment and technology changes

The Fulcrum of ControlThe Fulcrum of Control

Impact of Impact of

HighHigh

ImmediateAction

ImmediateAction

� The ability to control & containdigital security incidents is the key to success

� Management must

� The ability to control & containdigital security incidents is the key to success

� Management must

37

Impact of Occurrence




ROIDecision

ROIDecision

� Management must determine this tipping point or fulcrum and use it to drive their focus

� Management must determine this tipping point or fulcrum and use it to drive their focus

Forces Affecting RiskForces Affecting Risk

� Every time technology is changed or deployed the risk posture curve moves

� Management must recognize this and

� Every time technology is changed or deployed the risk posture curve moves

� Management must recognize this and



HighHigh

New or ChangedTechnologyNew or ChangedTechnology

38

recognize this and deploy security resources accordingly

recognize this and deploy security resources accordingly

OccurrenceOccurrence



New or ChangedTechnologyNew or ChangedTechnology

RiskManagementRiskManagement

Manage Risk for a Competitive AdvantageManage Risk for a Competitive Advantage



HighHigh

� Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success

� Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success

39

OccurrenceOccurrence

LowLow

LowLow HighHighFrequency of OccurrenceFrequency of Occurrence

6 Characteristicsby Industry6 Characteristicsby Industry

3.16

CONTINUOUS4.05

3.413.52

3.31

4.13ENTERPRISEWIDE

2.77

3.003.18

3.353.52

3.94

ALIGNED 2.772.95

3.41

3.593.72

4.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

4.15

3.95

3.75

3.55

3.35

3.15

2.95

2.75

2.55

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

40

FORMAL

3.48

4.09

3.25

3.603.64

3.88

VALIDATED

3.82

3.48

3.29

3.84

PROACTIVE2.91

2.88

3.40

3.03

3.00

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

Auto/Man

Energy

Financial Services

Life Sciences

Tech/Media

Telecom

Security “Orbit of Regard”Security “Orbit of Regard”

Products/ServicesProducts/Services

MarketShareMarketShare

CustomerService

CustomerService

� Security is a top executive issue

� Today, companies will compete on being able to respond to a digital threat

� Security is a top executive issue

� Today, companies will compete on being able to respond to a digital threat

41

CEOCEOGrowthGrowth

DigitalSecurity

2000s

DigitalSecurity

2000s DigitalSecurity

1990s

DigitalSecurity

1990s

DigitalSecurity

1980s

DigitalSecurity

1980s

� Top executives must close the digital security gap.

� Top executives must close the digital security gap.

Highly Effective Security Cultures:Highly Effective Security Cultures:

� are chief executive-driven

� maintain a heightened sense of awareness

� utilize a digital security guidance council

� establish timetables for success and monitor

42

� establish timetables for success and monitor progress

� drive an enterprise-wide approach

The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.

For More Information…For More Information…

Sajay RaiCEO and Managing Partner, Securely Yours LLC248-723-5224

43

[email protected]

defending the digital frontier - securely yours llc

Documents