Post on 19-Oct-2014
description
Is information Security less of a risk now?
Is information Security less of a risk now?
In this economic climate business risks have changed.
Has information security risk moved down the Internal Auditor’s priority list?
Risk
Where does information security fit in the business risk universe?
What do businesses think ?3
Top Business Risks• Regulation and compliance• Access to credit• Slow recovery or double-dip recession• Managing talent• Emerging markets• Cost cutting• Non-traditional entrants• Radical greening• Social acceptance risk and CSR• Executing alliance and transactions
Ernst & Young Business Risk Report 2010 4
Where do you see Information Security ?
Top Business Risks• Regulation and compliance• Access to credit• Slow recovery or double-dip recession• Managing talent• Emerging markets• Cost cutting• Non-traditional entrants• Radical greening• Social acceptance risk and CSR• Executing alliance and transactions
Ernst & Young Business Risk Report 2010
Where do you see Information Security ?
Okay
Okay
Okay
5
Business risk Environment
The Drivers :
• Regulatory and Compliance seen as a major risk by Business
• CEOs have seen a significant impact from regulatory change(raised capital levels and liquidity ratios)
Deloitte’s Global Risk Management Survey – Seventh Edition 6
Business risk Environment (2)
The Result:
• IT investment aimed at cost efficiency as well as growth.
• Risk Management incorporated into formal strategic planning processes.
Deloitte’s Global Risk Management Survey – Seventh Edition 7
Internal Audit (IA) trends
• Globalisation• More flexible integrated role for Internal Audit• Greater focus on risk management• Hunt for talent• Technology advances
8PwC ‘Internal Audit 2012’
Controls assurance. Risk based audit planning.
Controls assurance. Evaluation of risk management also.
Outsourcing and offshoring
Recognised by IA and used to help IA
INFORMATION SECURITY VIEW
Image thanks to www.xkcd.org 9
2011 predictions
• Expanded digital domain(Smart phones & tablets)
• Broader scope of information security aided by cost cutting and optimisation in organisations
(VOIP, Customised devices)• Cybercrime – staying ahead of law enforcement• Monitoring at a whole new level• Social Media – Consumer reality and hype
10
More new things – more complexity
Drive for value from security
IT Governance view
• Value creation by IT is important• IT should be proactive• Greater focus on governance• Outsourcing• Cloud computing plans underway• Social Media is not highly prized.
ISACA and IT Governance Institute - 2011 11
Outsourcing
• Not a new activity
• History of business processes and IT applications outsourcing success or otherwise.
19% of CEOs plan to ‘insource’ a business process or function in 2011,compared to 31% of the CEOs surveyed who plan to outsource.
Source PWC 14th Annual CEO Survey. 1212 May 2011
The Cloud
13
Private
Public Community
Hybrid
Grid
ComputingPlatform
Virtualisation Utility
Computing
VM
SaaSPaaS
IaaS
Automatic Security
Management
Cost savingsAgileScalableResilientService oriented
Cloud computing is a new business model, a new way of delivering computing resources
NOT a new technology
Web2.0
Cloud Security Benefits
• Moving public data to the cloud allows you to focus on sensitive data
• Cloud homogeneity makes auditing & testing easier
• Economies of scale• Resource concentration• Enable automated security management• Redundancy / disaster recovery
14
Easier to mind eggs in one basket
Works for security too
Cloud Security Issues
Policy & Organisational
Technical
Legal
and TRUST15
Policy & Organisational
• Going on the cloud to save money
• Passing control to the cloud provider
• Lock-in
16
Simplistic and may blind you to need to manage.
Security responsibility still there:-SLAs should be adequate,-Audit support needed.
Limited support for data and service portability
Technical risks
All the old technical risks, and some...
17
Server side protectionClient side protectionsHypervisor controlsIAMAuthentication controlsIsolation : - Software - Stored dataEncryption andKey management
Technical risks (2)
• Isolation failure
• Protection of more data in transit
• Greater reliance on communications linksSunGuard noted that 25% of DR invocations were due to communications failure !
(UK figures for 2010) 18
O/S Software and dataData persistence / data remnance
Encryption & keys management
Technical risks (3)
19
Example of used Cloud Computing resources to brute force WPA-PSK passphrases.• The idea is not new,• The use of cloud compute resources is !
Legal / Compliance
• Data Protection
• Applicable laws and jurisdiction
• Electronic Discovery
• Compliance
20
Does your cloud provider store your HR data outside the EU?
Intellectual Property protection.If there is a dispute with your cloud provider ...
If there is a dispute with a customer ...
Getting access to audit orgetting evidence of the provider’s compliance
Trust
Is it safe for companies to trust the cloud providers with their data which,
in some cases, can include entire business infrastructure?
21
PERSPECTIVE
Image thanks to www.xkcd.org 22
Cloud Security Problems
Are not new...• The technical issues are tractable• The legal issues will probably be the
hardest (read slowest) to get resolved.• Policy and organisational issues were
encountered before.
23
The cloud provides the opportunity to get them right this time.
Small Player Problems
Approaches
For some it is Hope and pray !
You can’t look under the hood
Maybe not, but there are other options ...
• Risk focus is elsewhere • Rely on the market• Cloud computing risks not attracting much attention.
24
Approach
Look at how offshore / outsource risks
are managed
25
It is said (by many)
You can ultimately outsource responsibility but you cannot outsource accountability !
How do you exercise control ?
26
Preparation
• Understand :• Policies and SLAs in place and your service expectations• Boundaries of responsibility
• Communications including issue resolution• Change management• Security controls (on offer and applied)• Continuity – including your back-out plan
What do you need to gain trust?27
Assurance
• Certification• Audit controls, recoverability controls• Right to Audit • Cloud Provider’s history
• Provider’s approach to data breach/security reporting• Reputation among your peers• Reputation in the blogosphere
SAS70, ISO27001 certification BUT -understand the scope of certification !
Look for the EVIDENCE !28
Final Thoughts• Technology continues its advance• Vulnerability exploits and countermeasures
continue to be developed
• Policy, organisational and compliance issues occur as long as there is human involvement
• There are gaps but the evidence shows these are being addressed.
29
michael@ofassociates.comwww.ofassociates.com
(+353) 87 28 38 667
30
Questions ?