Download - Robert Garigue CISO Briefing.ppt
-
7/25/2019 Robert Garigue CISO Briefing.ppt
1/63
Page1
Robert Garigue
VP and Chief Information Security Ocer
Controlling Order and Disorder
The evolving role of the CISO within
the new structures of Information Systems
-
7/25/2019 Robert Garigue CISO Briefing.ppt
2/63
Page2
Outline of our expedition
Background and AnalysisFrameworks
!u"ine"" model"
#he nature of the threat"
The strategic information securityframework
$n%ironmental factor" Information "ecurity proce""e"
Evolution of information securityfunctions
&lignment and Integrationchallenge"
$merging ne' ri"(" and concern"
Reections on the nature andevolving role of the ChiefInformation Security !cer
Travels in a foreign land
-
7/25/2019 Robert Garigue CISO Briefing.ppt
3/63
Page)
!*O +inancial Group
, +ounded in 1-1. +ir"t Canadian !an(
, /ighly di%er"i0ed 0nancial in"titution
retail ban(ing
'ealth management
in%e"tment ban(ing
, &""et" of 23 billion at October )14255)
, )64555 employee"
, Strong pre"ence in 7S *id89e"tthrough /arri" !an(corp
, O%er"ea" oce" around the 'orld
-
7/25/2019 Robert Garigue CISO Briefing.ppt
4/63
Page6
*etric" of the :igital !*O
255; *ainframe"
2.3; Open Sy"tem !u"ine""Critical &pplication"
). 555 :e"(top"
255 "upport "er%er"
3555 main net'or( de%ice"
13 #erabyte" of data
"torage 5
-
7/25/2019 Robert Garigue CISO Briefing.ppt
5/63
Page
*yth" and Realitie"
+or "ome the 'orld i" amultidimen"ional place
>and for other> it i" "till ?at>
#here are al'ay" *yth" and
Realitie"@
-
7/25/2019 Robert Garigue CISO Briefing.ppt
6/63
Page3
&n e%ol%ing organiAational context B Information Society
Some of the e' Realitie"B
, Information ba"ed producti%ity
, Computer mediated deci"ion"
, Ri"e of the (no'ledge 'or(er
, et'or( centric "tructure" and%alue chain"
, Command and Controlhierarchie" are di"placed byCooperati%e4 Commutati%eand Coordinated organiAation"
, Da burden "hared i" a burdenhal%ed @@ an intellectual a""et"hared i" one doubledE
-
7/25/2019 Robert Garigue CISO Briefing.ppt
7/63
Page.
#he Integrated Informational Value8Chain
Linked
ComplementaryInterdependent
Linked
ComplementaryInterdependent
From Goods or Services
To
Goods with Services
From Goods or Services
To
Goods with Services
-
7/25/2019 Robert Garigue CISO Briefing.ppt
8/63
Page-
Information +lo'" B /ealth Care $co"y"tem
-
7/25/2019 Robert Garigue CISO Briefing.ppt
9/63
PageF
Physical
Process
#he impact 'ill be felt in the three realm" of cyber"pace
Content
-
7/25/2019 Robert Garigue CISO Briefing.ppt
10/63
Page15
#he $%olution of the oo"phere #eilhard de Chardin H
Mobile and Peer to PeerClient ServerMain Frame
focusOrganizations
(command and control)
Individuals
(cooperation coordination
and communication)
Ubiquitous
Trusted
Affective
Advisory
Always on
Social
-
7/25/2019 Robert Garigue CISO Briefing.ppt
11/63
Page11
It i" full of Ri"(B #he"e are the "hape of D#hing" o':eadE
-
7/25/2019 Robert Garigue CISO Briefing.ppt
12/63
Page12
!ut there 'ill al'ay" be con?ict bet'eenOpen "y"tem" and Clo"ed "y"tem">@ Violent con?ict >
Pablo Picasso. Guernica.!"#$% Oil on canvas% &useo del Prado &adrid Spain
-
7/25/2019 Robert Garigue CISO Briefing.ppt
13/63
Page1)
ero8day %iru"Slammer )5 minute" later
http://www.silicondefense.com/research/worms/sql-after.gifhttp://www.silicondefense.com/research/worms/sql-before.gif -
7/25/2019 Robert Garigue CISO Briefing.ppt
14/63
Page16
Information SecurityB & ne' oxymoron
Information
Security
The de'ate
http://www.robertaweir.com/http://www.thinkingbaptists.com/forums -
7/25/2019 Robert Garigue CISO Briefing.ppt
15/63
Page1
&rgument" +or Getting +unding BJe%el" of *aturity of the OrganiAation
Fear" #ncertainty and $es%air&
D#he /ac(er"4 %iru"4 'ill get u"unle""@@E
The 'eard (entality&
D#he (ing need" #axe"E>
The Analytical RI )
DIn%e"tment in Intru"ion Pre%entionSy"tem" are better thanE>
Arguments that have yet tocomeB
D!ecau"e 'e can ta(e on morebu"ine"" and manage more ri"("E
bra(e" enable car" can go fa"terH
-
7/25/2019 Robert Garigue CISO Briefing.ppt
16/63
Page13
Information Security *anaging $xpectation"Sometime" it i" Ku"t a communication i""ue>
-
7/25/2019 Robert Garigue CISO Briefing.ppt
17/63
Page1.
Con"eLuence &B Information Security Ocera" #he Me"ter
See" a lot
Can tell the (ing he ha" noclothe"
Can tell the (ing he really i"
ugly
:oe" not get (illed by the (ing
ice to ha%e around but>ho'much "ecurity impro%ement
come" from thi" N
-
7/25/2019 Robert Garigue CISO Briefing.ppt
18/63
Page1-
Con"eLuence !B Information Security Ocera" Road ill
Change" happened fa"ter thathe 'a" able to mo%e
:id not read the "ign"
Good intention" 'ent
unful0lled
& brutal 'ay to ending apromi"ing career
Sad to ha%e around but>ho'
much "ecurity impro%ementcome" from thi" N
-
7/25/2019 Robert Garigue CISO Briefing.ppt
19/63
Page1F
*aybe a better model for CISOB Charlemagne
,ing of the +ran(" and /oly Roman $mperor
conLueror of the Jombard" and Saxon" .628-16H8 reunited much of $urope after the :ar( &ge"@
,/e "et up other "chool"4 opening them topea"ant boy" a" 'ell a" noble"@ Charlemagnene%er "topped "tudying@ /e brought an $ngli"hmon(4 &lcuin4 and other "cholar" to hi" court 8encouraging the de%elopment of a "tandard"cript@
,/e "et up money "tandard" to encouragecommerce4 tried to build a Rhine8:anube canal4and urged better farming method"@ /e e"pecially'or(ed to "pread education and Chri"tianity ine%ery cla"" of people@
,/e relied on Counts4 (argravesand (issi$ominito help him@
(argraves8 Guard the frontier di"trict" of theempire@ *argra%e" retained4 'ithin their o'n
Kuri"diction"4 the authority of du(e" in the feudalarm of the empire@
(issi $omini8 *e""enger" of the ing@
-
7/25/2019 Robert Garigue CISO Briefing.ppt
20/63
Page25
no'ledge of Dri"(y thing"E i" of "trategic %alue
/o' to (no' today tomorro'Q"un(no'n N
/o' to "tructure information"ecurity proce""e" in anorganiAation "o a" to identify andaddre"" the $# categorie" ofri"(" N
This is the mandate of information security.
-
7/25/2019 Robert Garigue CISO Briefing.ppt
21/63
Page21
#he Interconnected Societie"B the critical Infra"tructure
TELECOM SERVICES LAER
TRA!SPORT SERVICES LAER
TERRAI! LAER
FEAT"RE LAER
P#SICAL $AC%$O!E LAER
&EO&RAP#ICAL MAP LAER
OPERATIO!S
LAER
TEC#!ICAL
APLICATIO!
LAER
CONTROL
LAYER
(eopolitical 'oundaries)
(*levation)
(+and ,se Cities -uildings Towers)
(Ca'les .i'er /outes Satellites)
(SO0*T /ings 1T& PST0)
(Internet Data 2oice .a3)
Sector
'e(endent
La)ers
Common
La)ers
TELECOM "TILITIES
$illin* +
Resource
Plannin*
Load
$alancin*
Reliabilit)
SS, SCA'A
$illin* +
Resource
Plannin*
FI!A!CIAL
$illin* +
Pa)ment
Internet
$an-in*
Financial
Services
"tilities
Stoc- Financial
E/c0an*es
POS TerminalsATMs
&OV #EALT#CARE
$illin*
Administration
'ia*nostics
Electronic
Records
#os(itals
Labs +Clinics
P0armacies
#L,
LAERS
Le*islation
Ta/ation
La1 2 Order
Secure
c0annels
Prov3 and Fed
Services
&rid Pi(eline
Monitorin* +
Control
-
7/25/2019 Robert Garigue CISO Briefing.ppt
22/63
Page22
Indicator" and 'arning"$xternal en%ironment B the rate" of e%olution"
13 ne' mal'are product"launched e%ery dayB%iru"e"4 'orm"4 troKanhor"e"4 "py'are etc
. ne' %ulnerabilitie"
di"co%ered e%ery day
25 minute" guaranty
Probe" again"t +inancialIn"titution" 'eb "ite"
launched e%ery 3 "econd"
Social engineering i" onthe ri"eB People are the'ea( lin(
Hackers
Script kiddiesIndustrial espionae
Cy!er"terrorists#
Competitors
Suppliers
-
7/25/2019 Robert Garigue CISO Briefing.ppt
23/63
Page2)
Indicator" and 'arning" B #hreat" and target"
The McKinsey Quarterly, 2002 Numer 2 Ris! an" resilience
'aniel F. Lo0me)er3 4im McCror)3 and Sof)a Po*reb
-
7/25/2019 Robert Garigue CISO Briefing.ppt
24/63
Page26
*anufacturing exploit"B #he electronic Petrie :i"h*al'are B "py'are ; troKan ; "pam ; exploit" ; "ocialengineering
-
7/25/2019 Robert Garigue CISO Briefing.ppt
25/63
Page2
Indicator" and 'arning"/o' money 'a" lo"t Rough order of magnitude RO*H
Source$ CFI%F&I 'eport ())*
+*) ,S !ased corporations# overnment and educ. inst.
-
7/25/2019 Robert Garigue CISO Briefing.ppt
26/63
Page23
Identity #heft in Canada
-
7/25/2019 Robert Garigue CISO Briefing.ppt
27/63
Page2.
/ac(ing !elief"
Identity Theft
One of the fa"te"t gro'ing crime"@Stati"tic" Canada report" 1)4)Fca"e"4 21@ million lo""e" in 255)
&ccount ta(eo%er credit card"4 ban(account"H
&pplication fraud open ne' account"'ith %ictimQ" I:H
Indu"try need" impro%ed identitymanagement "olution" and "trongpublic a'arene""
*hishingu"ing email "cam" to collectcon0dential informationH
ey i""ue"B detection4 "hutting do'nbogu" "ite"4 cu"tomer a'arene""
!an(" are po"ting 'arning" on theirpublic "ite"4 and updating "ecuritypage information 'ith DT&E type ofinformation@
-
7/25/2019 Robert Garigue CISO Briefing.ppt
28/63
Page2-
$mergent Complexity B Spam Space a" Ri"(
-
7/25/2019 Robert Garigue CISO Briefing.ppt
29/63
Page2F
Structuring Ri"("&n OrganiAational Ri"( CategoriAation #axonomy
-
7/25/2019 Robert Garigue CISO Briefing.ppt
30/63
Page)5
Structuring Ri"("Regulatory $n%ironmentB 'here are the control" N
Per"onal Information Protection and $lectronic
:ocument" &ct PIP$:&H 8 Canada Gramm8Jeach8!liley +inancial Ser%ice"
*oderniAation &ct GJ!&H 8 7@S California Ja' S!1)-3 8 California /IPP& /ealthH Oce of the Superintendent of +inancial
In"titution" OS+IH Canada 8 Guideline !15 #he +inancial Ser%ice" &uthority +S&H
$ngland 8 OS Section 6
+ederal +inancial In"titution" $xaminationCouncil ++I$CH 8 7@ S@ Oce of the Comptroller of the Currency
OCCH 8 7@S@ OCC 2551 8 6. #he !an( &ct 8 OS+I Canada Guideline"
!34 !.4 !15 +ederal +inancial In"titution" $xamination
Council ++I$CH 8 7@S@ SP8 Policy Sarbane"8 Oxley &ct SOH 8 7@S@ !ill 1F- 8 Canada
S$C Rule 1.a86 !a"el II &ccord $uropean 7nion :irecti%e" on Information
Security CanadaQ" ational Security Program Patriot &ct 8 7S
Privacy
Security
-
7/25/2019 Robert Garigue CISO Briefing.ppt
31/63
Page)1
Regulatory Penaltie" T +ine" Grid
ame of Regulatory
*andate
Some Potential
Penaltie"
Potential +ine"
SO& 25 year" in pri"on 1 million
!a"el II Regulatory agencypenaltie"B %ary by G825country
Regulatory agency0ne"B %ary by G825country
/IP&& 15 year" in pri"on 254555GJ!& 15 year" in pri"on 1 million
Patriot &ct 25 year" in pri"on 1 million
:od 51@2 +ailure to Lualify for:o: contract Contractbreach +&R penaltie"
Contract penaltie"
California S! 1)-3 7nfair trade practicela' penaltie"B %ary by"tate
Pri%ate ci%il and cla""action" unfair tradepractice la' 0ne"B %aryby "tate
S$C Rule 1.a86 Su"pen"ion=expul"ion 1 million;
-
7/25/2019 Robert Garigue CISO Briefing.ppt
32/63
-
7/25/2019 Robert Garigue CISO Briefing.ppt
33/63
Page))
Information Security organiAation a" re"ult of the(no'ledge tran"fer proce""
The 1nowlede
Transfer Cycle
Technical Threats
Passive /eal time
4igh
Organizationa
l
Complexity/C
apabilit y
+ow
Virtual Private !et1or-s
Fire1alls
Virus Scanners
Intrusion 'etection
Monitorin*
Vulnerabilit) Anal)sis
Real Time Res(onse
Role base identit)
Access mana*ement
'i*ital Ri*0ts
Mana*ementSecurity Functions
-
7/25/2019 Robert Garigue CISO Briefing.ppt
34/63
Page)6
no'ledge tran"fer
The 1nowledeTransfer Cycle (
&74
IS
C&/
FI CI'T
8 other
&anks
2endors
FI'ST
Proects
PS0CP
C/3C0'TClientsand
&usinesses
wireless
Info%infra
structure
,tilities
Health
Telecom
%no1led*e net1or-s
Passive /eal time
4igh
Organizationa
l
Complexity/C
apabilit y
+ow
Virtual Private !et1or-s
Fire1alls
Virus Scanners
Intrusion 'etection
Monitorin*
Vulnerabilit) Anal)sis
Real Time Res(onse
Role base identit)
Access mana*ement
'i*ital Ri*0ts
Mana*ementSecurity Functions
-
7/25/2019 Robert Garigue CISO Briefing.ppt
35/63
Page)
Network Protection
Operating System Protection
User Access
Control and Authorization
Object Integrity
Content Certiication
!igital Signatures
Control +rame'or( i" a hierarchy of accountability"tructure"
PrivacyPrivacy
SecuritySecurity
&usiness
/pplications
Clients%,sers
4perational
Support
Content control
Access
Management
PerimeterProtection
Infra
structure
Info
structure
-
7/25/2019 Robert Garigue CISO Briefing.ppt
36/63
Page)3
Information Security *anagement +rame'or(
RIS=COS#
S#R$GICRIS J$V$JB JO9
#&C#IC&JRIS J$V$JB *$:I7*
OP$RIO&JRIS J$V$JB /IG/
!u"ine""ReLuirement"
:e"ign :e%elopment Implementation Operation"
S#R$GIC
Go%ernance
and policie"
, Policie", Standard", Procedure", Guideline", &'arene"", Re"earch
#&C#IC&J
&pplication="y"tem
de%elopment anddeployment
, :e"ign re%ie'", IS "olution", :ue care, Ri"( acceptance, e' technology in"ertion
OP$RO&J
&cti%e "ecurity
po"ture
, &nti%iru" management
, Vulnerability a""e""ment"
, Intru"iondetection, Incident
re"pon"e
OP$RO&J
IS "er%ice"
, &cce"" management
, eymanagement, Security to(en management
, Otheroperational
"er%ice"
/is5 curves
-
7/25/2019 Robert Garigue CISO Briefing.ppt
37/63
Page).
Information Security ey Performance Indicator"
*olicy
umber of Policy $xception" umber of Ri"( &cceptance"
Value of Re"idual Ri"(
*rocess
umber of "ecurity i""ue" in ne'proKect"
umber of I: account"
acti%e=deadH umber of (ey" = digital certi0cate"
= to(en"
#ime to re"pond to patche"4incident"
Jo""e" due to "ecurity incident"
*eo%le
umber of certi0ed per"onnel O%erall capital in%e"tment ratio
"ecurity to I# "pend, per "y"tem
, per per"on
, per incident
Tycho -rahe (!678!89!)
-
7/25/2019 Robert Garigue CISO Briefing.ppt
38/63
Page)-
Information Security ey Performance *etric"
Ris- Acce(tance and ISM E/ce(tion Forms
5
25
65
35
-5
155
125
165
135
) 255) 6 255) 12556 2 2556 ) 2556
&cti%e IS* $xception" ;6@2 vs% vs% vs%
-
7/25/2019 Robert Garigue CISO Briefing.ppt
39/63
Page)F
A%ril (icrosoft Security *atch $e%loyment
+Servers , -orkstations . /0"111 systems re%orted2
9
:9
79
89
;9
!99
! 8 !! !8
$ays Ela%sed
3
Com%lete
Patch &nnounced
Iero day" elap"ed *aKor &rea" Complete13 day" elap"ed
U&cceleratedU #hre"hold
2 day" elap"ed
Sa""er 'ormemerge"
1. day" ela"ped
UormalU #hre"hold
2 'ee(" elap"ed
Propo"ed U&cceleratedU
#hre"hold
. day" elap"ed
&d%i"ory upgraded
Gexploit emerge"H
*icro"oft Patch :eployment
' ( 4
' $mergency &ccelerated &ccelerated
( &ccelerated &ccelerated ormal
4 &ccelerated ormal ormal
Note:
April 2004 release required 4separate patches
*atch5Incident
A%ril 6117
Critical +72
Fe8ruary 6117
Critical
9achi5 Blaster
+August 611/2
S:4 Slammer
+;anuary 611/2$ays to *atch
+
-
7/25/2019 Robert Garigue CISO Briefing.ppt
40/63
Page65
Ma5or !et1or-s
ear6uarter C7A! $7A! !esbitt$urns
Ca(italMar-ets
#arris
:99! !%;7 :%"! 8%97 #%#6
:99: @
:99: @ C7A!
Ca(ital Mar-ets !esbitt $urns
-
7/25/2019 Robert Garigue CISO Briefing.ppt
41/63
Page61
"Training
+ast
-
7/25/2019 Robert Garigue CISO Briefing.ppt
42/63
Page62
*a(ing #he Ca"e for Security In%e"tment"
Return on In%e"tment ROIH ha" failed todemon"trate it economically becau"ethere are too many %ariable"
!ene0t" hard to LuantifyB 'hatQ"the %alue of good healthN
Stati"tical data unreliable and
changing fa"t Co"t a%oidance not the "ame a"
co"t "a%ing"
#he Dlanguage di%ideEB accounting%"@ "ecurity
Jo"" of credibility more co"tly than
lo"" of phy"ical a""et"
#echnology "ub"titution i" not a
guaranty of more capability
Total Security costs
Incidents Costs
Security Investments
-
7/25/2019 Robert Garigue CISO Briefing.ppt
43/63
Page6)
#he Security ChallengeB &lignment
Pro?ect
assessment
The -iital -ivideTwo solitudes# in virtual isolation
Security services IT processes
1nti2irus
Patches
2ulnera'ility
1ssessments
Incident
management
Intrusiondetection1pplication
security
1ccess
management
ey
management
1pplicationdevelopment 1rchitecture
Pro'lem management
Incident
management
Change
managementService level
Configuration.irewall rules
Capacity1vaila'ility
IT Service
continuity
-
7/25/2019 Robert Garigue CISO Briefing.ppt
44/63
Page66
#hase $escri%ti&n
!% Initiation
:% 1wareness
8. Control
7% Integration
6% Optimization
Concrete evidence of development
/esources allocated
Formali9ed
Synergy 'etween processes
Continuous self improvement A
optimization
9% 1'sence 0othing present
Characteristics:
visi!le results
manaement reports
task%authorities definedactive rather than reactive
documentation
formal plannin
*aturity +rame'or( Je%el"B Stage" of $%olution of a"y"tem
-
7/25/2019 Robert Garigue CISO Briefing.ppt
45/63
Page6
*aturity +rame'or(" pedigree B #he reference frame'or(
It is better not to proceed at all than to proceed without method
'escartes
I f ti S it * t it d l ISO 1..FF
-
7/25/2019 Robert Garigue CISO Briefing.ppt
46/63
Page63
Information Security *aturity model 8 ISO 1..FFInformation #echnology Infra"tructure Jibrary I#IJHS$I C** Capability *aturity *odelH
-
7/25/2019 Robert Garigue CISO Briefing.ppt
47/63
Page6.
& propo"al for a ne' integrated ri"( frame'or(
The objective
is to lower the
overall risk
through
capability
maturity
framework
integration
Bus. Req. Design Development Operationsmplementation
ITILS0I C77IS4 Proect IS4 9::;;
'isk 7anaement throuh 7aturity Framework alinment
Organizational focus