People, Process People, Process and Technologyand TechnologyPeople, Process People, Process and Technologyand Technology

Andy PapadopoulosAndy Papadopoulos

Fighting FraudFighting Fraud

Go after low hanging fruit Go after low hanging fruit – – start with the most sensitive data and start with the most sensitive data and the areas where they are vulnerable the areas where they are vulnerable

- then work outwards - then work outwards

Leverage existing investments in Leverage existing investments in Microsoft technologiesMicrosoft technologies

Implement Scorecards and Implement Scorecards and Monitoring Monitoring

More than More than 80%80% of enterprise's digitized of enterprise's digitized information information reside in individual hard drivesreside in individual hard drives and in personal files and 80% of the data is and in personal files and 80% of the data is unstructured, not secure nor backed up.unstructured, not secure nor backed up.

Individuals hold the key to the Individuals hold the key to the knowledge economy and most of it is knowledge economy and most of it is lost when they leave the enterpriselost when they leave the enterprise

Employees get 50%-75% of their Employees get 50%-75% of their relevant information directly from other relevant information directly from other peoplepeople

Today’s Information Today’s Information ChallengeChallenge

Source: Gartner Group/CIBC World Markets

ConfidentialityEnsure privacy of user

information and transmission

IntegrityEnsure accuracy of data

and data processing

AvailabilityMaximize functionality and

uptime

TrustConfidence to transact

Workplace E-mail StatsWorkplace E-mail Stats

Emails per day (%) 100+ ≥50 31-49 Weighted Total

Estimate the percentage email increase in the past 12 months (2002-3)

21 18 10 16

In your opinion, is email communication at your workplace out of control?

No 0 27 58 35Potentially 14 20 17 21

Yes 86 53

25 44

Should elimination of bad email habits be a corporate responsibility?

Yes 90 86 67 78

No 10 6 3 9Don’t know

0 7 29 13Christina CavanaghProfessor, Richard Ivey School of Business

Keeping it ConfidentialKeeping it Confidential

Don’t add layers …. Users won’t use Don’t add layers …. Users won’t use themthem

Take advantage of tools already in place Take advantage of tools already in place with the interfaces they are already used with the interfaces they are already used to to

Information Rights ManagementInformation Rights Management

Common ‘problems’ with Common ‘problems’ with datadata

Common agreed definitions (shared Common agreed definitions (shared context) lackingcontext) lacking

Inconsistent definitions across applicationsInconsistent definitions across applications

Manual transformations and analysisManual transformations and analysis

Manual Audit TrailsManual Audit Trails

Poor Data Quality Poor Data Quality

Poor Connectivity from applications to Poor Connectivity from applications to resourcesresources

One Way Data Traffic (errors not corrected One Way Data Traffic (errors not corrected at the source)at the source)

What does FINE mean ?What does FINE mean ?

““Don’t worry everything is Fine”Don’t worry everything is Fine”

How do I get the validation I need How do I get the validation I need Make use of dashboards and scorecardsMake use of dashboards and scorecards

Service Level ReportingService Level Reporting

The Identity LifecycleThe Identity Lifecycle

New User User ID Creation Credential Issuance Access Rights

Account Changes Promotions Transfers New Privileges Attribute Changes

Password Mgmt Strong Passwords “Lost” Password Password Reset

Retire User Delete/Freeze Accounts Delete/Freeze Entitlements

Identity Business Impact Identity Business Impact

24% lower productivity24% lower productivityEnd user spends 16 minutes a day logging in to various End user spends 16 minutes a day logging in to various systemsystem

Provisioning new users take 28 hours longer than business Provisioning new users take 28 hours longer than business requirementsrequirements

Increased IT Operational CostsIncreased IT Operational CostsRoughly 48% of help desk calls are password resets ($45-$153 Roughly 48% of help desk calls are password resets ($45-$153 each)each)

User management consumers 5.25% of all IT productivityUser management consumers 5.25% of all IT productivity

Most admin tasks (moves, adds, changes) take 10x longer than Most admin tasks (moves, adds, changes) take 10x longer than necessarynecessary

23% additional security risks23% additional security risksOnly 70% of users deleted on departureOnly 70% of users deleted on departure

New users provisioned to 16 apps, on departure deleted from 10New users provisioned to 16 apps, on departure deleted from 10

A survey of over 600 organizations concluded that the average A survey of over 600 organizations concluded that the average cost impact of security breaches on each organization alone is cost impact of security breaches on each organization alone is over $972K*over $972K*

Source: Metagroup/PwC Survey 2002, * CSI/FBI Survey

It’s a Virtual World …It’s a Virtual World …

The fine balance between keeping The fine balance between keeping safe and allowing employees to do safe and allowing employees to do their jobs.their jobs.

Workforce is mobileWorkforce is mobile

Laptops are everywhere Laptops are everywhere

Mobile Workforce Mobile Workforce Why We Need QuarantineWhy We Need Quarantine

Internal NetworkRemote Access

Server

Internet

Mobile Laptop

Home Machine

VPN Connection

Dialup

Cable Modemor DSL

Internet and PC Usage Internet and PC Usage PolicyPolicy

““I didn’t know I couldn’t sell stuff on I didn’t know I couldn’t sell stuff on ebay 4 hours a day ….”ebay 4 hours a day ….”

Put it in writing, keep it current, make Put it in writing, keep it current, make it part of your HR process. it part of your HR process.

Microsoft Best Practice Microsoft Best Practice Tools Tools

Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer

Exchange Best Practice AnalyzerExchange Best Practice Analyzer

SQL Best Practice AnalyzerSQL Best Practice Analyzer

Validates that your installation and Validates that your installation and configuration are done to best configuration are done to best practice guidelinespractice guidelines

Microsoft Security Assessment Microsoft Security Assessment ToolTool

Free tool to drive security awareness Free tool to drive security awareness around people, process and around people, process and technologytechnology

Download from:Download from:

www.securityguidance.comwww.securityguidance.com

A Layered Approach to A Layered Approach to ComplianceCompliance

Engages the Engages the entire business entire business for successfor success

Allows for the Allows for the allocation of allocation of controls outside controls outside of ITof IT

LegislationLegislation

PoliciesPolicies

ProceduresProcedures

Physical ControlsPhysical Controls

Application Features

Application Features

Inherent System

Capabilities

Inherent System

Capabilities

A Layered Approach to A Layered Approach to SecuritySecurity

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, patch management, OS hardening, patch management, authenticationauthentication

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devicesGuards, locks, tracking devices

Network segments, IsolationNetwork segments, Isolation

Application hardening, antivirusApplication hardening, antivirus

Access controls- data encryptionAccess controls- data encryption

Documented Process and User Documented Process and User Education !Education !

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

Desktop and Servers

Desktop and Servers

ApplicationsApplications

DataData

Discovery Session OfferDiscovery Session Offer

1-2 day offer from Office Systems 1-2 day offer from Office Systems TeamTeam

Makes use of scorecards and Makes use of scorecards and collaboration collaboration

Show you how you can use tools to Show you how you can use tools to better communicate/collaborate/sharebetter communicate/collaborate/share

Show accountability to stakeholdersShow accountability to stakeholders

andy@legendcorp.comandy@legendcorp.com

SummarySummary

Leverage investments already made Leverage investments already made with Microsoft Technologywith Microsoft Technology

Make use of scorecards and Make use of scorecards and monitoring systems to ensure things monitoring systems to ensure things really are FINEreally are FINE