information risk management - csm-ace · information risk management starts from day 1 information...

Information Risk Management

Alvin Ow

Director, Technology Consulting

Asia Pacific & Japan

RSA, The Security Division of EMC

Agenda

Data Breaches

Required Capabilities of preventing Data Loss

– Information Risk

– Information Incident

– Root Cause

Building a Comprehensive Information Risk Management

Platform

Summary

Information Loss/Data Breach Questions

What information?

Who did this?

How did they get the information?

How do we ensure this never happens again?

What is the exposure to the organization?

How do we prevent this from happening again?

Analysis of a Data Breach

Bob realized that he can

access the sales file share

Newly hired PM, Bob, is

provisioned a profile similar to

that of Deb’s

Deb joined Product

Management from sales but still

has access to sales file shares

The email is identified as

violation of a policy

The email is blocked

The security analyst and Bob’s

boss are alerted

T [T+.2] minutes [T+.5] minutes[T-1] days[T-15] days[T+180] days

Data Loss Event Happens here

Bob emailed the sales

pipeline data out to a

competitor

Data Loss Prevention Starts Here

Data Losses

Data Exposure

Data Loss

Required Capabilities for Preventing Data Loss

Discover

Information Risk

• Accurate discovery

• Scalable discovery

• Risk assessment

• Efficient process

RSA Data Loss Prevention

Workflow and Surveys

Risk Dashboards

Respond

Information Incidents

• Incident Mgmt.

• Business context

• Workflow/ticketing

• Metrics

• Dashboards


RSA Security Incident & Event

Management

Dashboards and Workflow

Reactive Controls

Fix

Root Cause

• Business/IT context

• Control procedures

• Integration and

Questionnaires

• Metrics & Dashboards

RSA Archer IT GRC

SIEM

Proactive Controls


Discover

Information Risk



• Risk assessment



Datacenter and endpoint


Risk Dashboards

Respond


• Incident Mgmt.



• Metrics

• Dashboards

DLP network and endpoint

SIEM


Reactive Controls

Fix

Root Cause



• Integration and

Questionnaires


IT GRC

SIEM. SSCM and VA

Proactive Controls

Real-life Use Case

11/2

30K files discovered

by RSA Data Loss

Prevention

11/19

RSA Archer IT GRC

Platform Sends

questionnaire to data

owners

12/19 90% of files remediated

Repeatable and

continuously monitored

Process time

reduced by 400%

11/6

1200 Owners

in 43 Countries

Identified

Evaluate and Reduce Risk at Datacenter

RemediateAnalyzeDiscover

FS, Server, Laptop

•Windows file shares

•Unix file shares

•NAS / SAN storage

•Windows 2000, 2003

•Windows XP, Vista

300+ File Types

•Microsoft Office Files

•PDFs, PSTs

•Zip files

•CATIA files

Databases

•SharePoint

•Documentum

•Microsoft Access

•Oracle, SQL

•Content Mgmt systems

Remediation

•Secure Delete

• Manual/Auto Move

• Manual/Auto

Quarantine

• Notifications

• eDRM

RSA Data Loss Prevention & Data Governance

•List of sensitive files

•Content do sensitive files

•Risk level of the files

Data Governance

• Users who have access

• Users accessing the files

• Owners of the files

RSA DLP Datacenter

• List of sensitive files

• Content of sensitive files

• Risk level of the files

+• Identify files/folders at risk

• Identify true business owners

• Change permissions

RSA Archer Risk ManagementConsistent and flexible approach for identifying, evaluating and responding to risks

Overview

Capture and relate risk to

corporate objectives, mitigating

controls and enterprise objects.

Maintain a repository of risk

metrics.

Track financial losses as risk

intelligence.

Build and deliver online

assessments.

Score assessments automatically

and generate findings for

incorrectly answered questions.

Understand your organization’s

inherent and residual risk through

real-time reporting capabilities.


Discover

Information Risk



• Risk assessment


DLP Datacenter


Risk Dashboards

Respond


• Incident Mgmt.



• Metrics

• Dashboards

RSA DLP network and endpoint

RSA Security Incident & Event

Mmanagement


Reactive Controls

Fix

Root Cause



• Integration and

Questionnaires


IT GRC

SIEM. SSCM and VA

Proactive Controls

A Solution for DLP Incident Management

SMTP

Security Incident & Event

Management

RSA enVision picks up a DLP action

as an event which it can correlate

with other events

HTTP, HTTPS, FTP

Proxy ServerMail Servers

Data Feed Mgr

Correlated alerts are integrated into

Archer

Archer shares enterprise context

with enVision

Risk Mgr, Dashboards

and Workflow

Incidents are assigned in work

queues, workflow automates the

case management process. Risk

and Compliance metrics are rolled

up into an executive level

dashboard

Context Policy

Enterprise and Policy Mgr

enVision alerts are put in context

with enterprise assets, risk,

process, teams, etc.


Monitor & Enforce User Actions at Egress

EnforceEducateMonitor

Email

•SMTP email

•Exchange, Lotus, etc.

•Webmail

•Text and attachments

Instant Message

•Yahoo

•AOL

•Microsoft

Web Traffic

•FTP

•HTTP

•HTTPS

•TCP/IP

Enforce

•Audit

•Block

•Encrypt

•Log

Monitor & Enforce User Actions on Endpoints

Connected or Disconnected

from Corporate Network

EnforceEducateMonitor

Monitor and mitigate risk from end user actions on endpoints

Not Connected to

Corporate Network

Connected to

Corporate Network

RSA DLP Endpoint Monitor Agent

RSA Archer Incident ManagementReduce incident response times

Overview

► Centralize incident data and control

access to assure data integrity.

► Track incidents and ethics violations in

real-time through a customizable and

easy-to-use web interface.

► Manage the investigation process.

► Implement response procedures and

track incident resolution using built-in

workflow.

► Maintain a detailed incident audit trail.

► Monitor incident status and impact,

and identify trends and incident

relationships.


Discover

Information Risk



• Risk assessment


DLP Datacenter


Risk Dashboards

Respond


• Incident Mgmt.



• Metrics

• Dashboards

DLP network and endpoint

SIEM


Reactive Controls

Fix

Root Cause



• Integration and

Questionnaires


RSA Archer IT GRC

SIEM. SSCM and VA

Proactive Controls

What is Enterprise Context?

Business initiatives

Industry standards

Federal regulations

Best practices

Contractual obligations

Divisions

Facilities

Prod./Services

People

Processes

Applications

Devices

Information

Context Policy

evidence

Physical and Virtual IT Infrastructure

SIEM | DLP | Vulnerability | Configurations | Surveys | Assessments

evidence


Connecting Enterprise Context to IT “Evidence”

Integration

Context Policy

Data Loss w/ Business ContextUsers from Client Services Group in

Boston Facility is copying tier 1 data

(SSNs) from customer support

application to partner’s platform in UK for

quarterly reporting process.

Data Loss w/o Business ContextUser kpbrady from AD group Corp243

violated a policy on 3/8/2010 called “PII-CMR

201” by attempting to ftp SSNs from ip

address 10.81.253.39 to 10.91.0.21. The

action was blocked by DLP.



Process for Managing Risk

evidencecheck

Views and Reports

Workflow

Detailed Controls

Integration

Workflow for incident

management

Visibility and Context for

prioritizing incidents and

improving insight into risk

Correlated

incidents and

Scan results

Control

procedures tied

directly to IT

Assets

Enforce Policy with workflow,

reports and by connecting to

detailed controls that are, in turn

tied to IT assets


Context Policy

Summary

Information Risk Management starts from day 1

Information Risk

Information Incident

Root Cause Analysis

Information Risk Management Platform

– RSA Data Loss Prevention

– RSA Security Incident & Events Management

– RSA Archer IT Governance Risk & Compliance Platform

Thank You

Alvin Ow

[email protected]

RSA, The Security Division of EMC

information risk management - csm-ace · information risk management starts from day 1 information...

Documents