Alan JenkinsChief Security Officer,T-Systems Limited- a Deutsche Telekom company

Data Privacy, Risk & Compliance

We are a Systems Integrator & Outsource Provider

Other Clients include:BP, EADS, E.On, TUI ….

Why physical security just isn’t enough - sending the `heavies’ into virtualised environments

….. whilst not neglecting the security basics.

And accepting that there is always risk!

Discussion & interaction welcome!

NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh

What does ‘Security’ mean to you and the business that you represent ?

Wrong !

Security Landscape,courtesy of ISF

What is Security’s value to your business?

Co-shapingIndividual expectations

Shaping

Anticipatory

Responsive

Reactive

The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application of collective Security activities . NB Not silo’ed!

Stag

es in

Man

agin

g Ex

pect

ation

s

Our Stra

tegic

Inte

nt

Internally Hassle-free User- Engaging Co-Shapingoriented friendly & exciting individual

experiences

NB The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application of collective Security activities . No silos allowed!

• Apply lessons and (security aspects of) design from physical to virtual environments• Consider both logical and physical separation for boundaries• Beware of cross-domain boundary dataflows• Give more thought to protecting the data as opposed to the infrastructure• Consider enhancing Software Development Lifecycle (SDLC) efforts

• “It’s the Application Layer that matters, damn it!”• Test, test and test again!• Don’t neglect dynamic reuse, decommissioning & disposal• What are your Measures of Effectiveness?

• Have you linked your Security KPIs to those of your business?• NB Assumes you have KPIs …..!

• What about Key Risk Indicators (KRIs)?• Look forwards as much as backwards• Benchmark with other forecasts, e.g.

• Information Security Forum : Download the ISF's Threat Horizon 2013 Executive Summary

• Let’s not pretend that the Old World was perfect!

• The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has advantages too:• Scalability• Resilience• Cost-effectiveness• Support model is arguably less complex

• Depends upon technological mix!• Fewer staff, more automation, leads to improved Quality-of-Service• Dynamic asset, license and configuration management should incur

lower maintenance effort - and therefore cost - as a result of higher automation

• Consider knowledge management as opposed to data/information management• What is business value of data? Meta-data adds context …..• Is it static, time-dependent and/or actionable?• What is asset value of information to business? Value-at-risk on balance

sheet?

Risk Management cycle: industry best practise

• Virtualisation (on premise or in Cloud) and outsourcing - caveat emptor!

• Consider value to business of data and associated processes• What does the cost-benefit case mean to your business?• Conduct business impact assessments to inform criticality discussions

• Due diligence is essential (reciprocal)• Don’t rely solely on generic questionnaire

• Adopt a security framework, • Eg Common Assessment Assurance Model

• http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf• ‘Kick the tyres’, i.e. exercise contractual right to conduct audits• Don’t neglect your Supply Chain

• Take note of certifications but don’t rely on them• So, your Supplier has ISO27001 certificate …..

• What is the scope of applicability?• How much business does 3rd party auditor have with the supplier?• Regulatory compliance = security (a topic in its own right!)

Security controls in the virtualised world• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v1.2 (August 2011)• Specifically designed to provide fundamental security principles to guide cloud

vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

• CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the CSA guidance in 13 domains.

• It has a customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers.

• CSA CCM provides organizations with necessary structure, detail and clarity relating to information security tailored to the cloud industry.

• Strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

Microsoft Office Excel Worksheet

Cloud Security Alliance Cloud Controls Matrix (CCM) v1.2 (August 2011)

Cloud Controls Matrix (CCM) : Cloud Security Alliance

NB The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application of collective Security activities . No silos allowed!

• Remember the Security Basics• Physical, People, Process & Technology in harmony• The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has advantages too:• Scalability• Resilience• Cost-effectiveness

• Apply lessons and (security aspects of) design from physical to virtual environments• Establish your Measures of Effectiveness & associated KPIs and KRIs• Consider knowledge management as opposed to data/information management• What is business value of data? • Value-at-risk on balance sheet?

• Align with an industry standard such as CAMM or CSA CCM• Regulatory compliance = security (a topic for the next CIO Event!)

Summary

NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh

Thank you.Q & A

==!"§===========Alan JenkinsChief Security OfficerT-Systems LimitedFutura House, Bradbourne Drive,

Tilbrook, Milton Keynes. MK7 8AZ+44 7950 566735e-mail: alan.jenkins@t-systems.com