© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep...
-
Upload
jaliyah-hooton -
Category
Documents
-
view
216 -
download
2
Transcript of © 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep...
© 2002 Protiviti Inc. | 1
Securing your Corporate InfrastructureWhat is really needed to keep your assets protected
Joseph Burkard – CISA, CISSPOctober 3, 2002
© 2002 Protiviti Inc. | 2
Securing your Corporate Infrastructure
Management Dilemma — or — Technical Problem
Security Awareness
Corporate Governance
Firewall
DMZ
Layered Defense
Intrusion Detection
Authentication
Hacker
Digital Signatures
Denial of Service
Policies & Procedures
Anti-Virus
Physical Security
Non-Repudiation
Internal Controls
Integrity
Vulnerability Testing
Confidentiality
Accountability
Availability
Device Hardening
Litigation
Access Controls
Security Program
Security Organization
Risk Assessment
Wireless
VPN
Privacy
PKI
Worms
Tokens
Cyber Terrorism
ISO 17799
GLBA
HIPAA
© 2002 Protiviti Inc. | 3
Securing your Corporate Infrastructure
Security is Complex!
Traditional Obstacles
– IT expenditure Only
– Security is an event driven industry
– Not same as other operational risks
– Won’t happen to us!
© 2002 Protiviti Inc. | 4
New Information Security Drivers
1. Significant Threats – 9/11/01
2. Recent Vulnerabilities – Code Red, Nimda
3. Increased Oversight – Enron, WorldCom
© 2002 Protiviti Inc. | 5
Increased Oversight and Compliance
© 2002 Protiviti Inc. | 6
Increased Oversight and Compliance
Governance Date Type Industry
1. HIPPA 8/1996 Security & Privacy Healthcare
2. GLB 5/2000 Security & Privacy Financial Services
3. IIA—NACD 2000 Security Governance Corporations
4. GISRA 6/2001 Security Standards Government
5. FERC 7/2002 Security Standards Energy
6. Sarbanes—Oxley 8/2002 Internal controls Publicly traded companies
7. NYSE & NASDAQ 8/2002 Internal controls Publicly traded companies
8. National Strategy 9/2002 Secure Cyberspace 5 Levels, Corp & Gov
© 2002 Protiviti Inc. | 7
Information Security Governance
IIA—NACD: What Directors Need to KnowHistorically boards and senior management looked at Security as a tactical IT issue. But the IIA, in collaboration with the NACD, AICPA and ISACA have recently challenged this perspective with key governance questions*:
1. Accountability
2. Awareness
3. Ethics
4. Inclusion
5. Resource Allocation
6. Thoroughness
7. Effectiveness
8. Ongoing Assessment
9. Compliance
10. Information Sharing
* Source: Information Security Governance: What Directors Need to Know. The Institute of Internal Auditors (IIA)
© 2002 Protiviti Inc. | 8
Information Security Governance
GISRA FERC—Standards for Electric Market Participants
Participants must have a basic Security Program covering governance, planning, prevention, operations, incident response, and business continuity.
Security standards for electric systems and physical security
These security standards shall become effective on January 1, 2004.
Failure to comply will result in loss of direct access to privileges to the electric market.
Senior management is responsible for the Security Program
© 2002 Protiviti Inc. | 9
Internal Controls
Sarbanes—Oxley Requires CEO and CFO to file internal
control report
Increases SEC oversight and penalties
CEO and CFO must certify quarterly or annual reports
NYSE & NASDAQ Corporate codes of conduct required
Internal audit function mandated
CEO certification required
© 2002 Protiviti Inc. | 10
Information Security Governance
Questions corporate boards, financial analysts and investors should ask:
1. Who is responsible for IT security, and to whom is he/she directly accountable?
2. Do the CEO and COO review IT security?
3. What internal IT security policies exist?
4. Are the security controls sufficient?
Recommendations:
Enterprise-wide corporate security councils
Regular independent IT security audits
Chief Information Security Officer (CISO)
IT continuity plans regularly reviewed
The National Strategy to Secure Cyberspace
© 2002 Protiviti Inc. | 11
Securing your Corporate Infrastructure
What is really needed to keep your assets protected?
© 2002 Protiviti Inc. | 12
Develop Security Program
There are three goals for Security within an organization: Confidentiality
Integrity
Availability
These goals can be met with: Proper governance
A Security Program
© 2002 Protiviti Inc. | 13
Develop Security Program
Security LifecycleUse the Security Lifecycle to ensure realistic and enforceable policies, and prioritize security objectives.
– Security is a Process
– Security requires a full enterprise perspective
– The Security Lifecycle provides a framework
– Security Policies, Standards, Procedures and Metrics form the core of a Security Program
SNCi Guide to Lifecycle SecurityTM
© 2002 Protiviti Inc. | 14
Develop Security Program
1. Enlist Senior Management Support
2. Define Security Objectives
3. Create Security Strategy or Vision
4. Develop Tactical Security Program
© 2002 Protiviti Inc. | 15
Develop Security Program
Senior Management Commitment
– An acknowledgement of the importance of the computing resources to the business model
– A statement of support for information security throughout the enterprise
– A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines
© 2002 Protiviti Inc. | 16
Develop Security Program
Security Strategy & PlanThe model to the right lays the groundwork for designing, implementing and maintaining a comprehensive security framework.
The strategy and plan encompass People, Process and Technology
Builds consensus among each of the stakeholders
The elements of Knowledge Sharing, Best Practices, Metrics, Methodologies, and Skill Sets provide the groundwork for implementing a security framework.
– The biggest issue is the lack of a comprehensive enterprise security strategy
Best Practices
Metrics/ Measures Methodology
Sharing
Strategy & Plan
Skills Sets
Technology
Processes
People
© 2002 Protiviti Inc. | 17
Develop Security Program
Strategy The strategy is a high-level statement that defines the targeted state of Information Security
for the organization, and how the targeted state of security can be reached.
Must be specific to the organization
Plan
– Provides an overview of the security requirements and describes the controls
– Delineates responsibilities and expected behavior of all individuals
– Documents the structured process of planning adequate, cost-effective security protection for a system.
© 2002 Protiviti Inc. | 18
Develop Security Program
People
– Identify roles, responsibilities and accountability for all critical information assets
– Determine whether it is appropriately staffed and whether the structure is appropriate for support of business objectives
Process
– Define, document, communicate and practice Security Management functions
– Develop and standardize security policies
Technology
– Identify the technology the IT organization uses to protect access to its network resources
– Identify the metrics to measure the performance of Security Management
– Develop technical security standards
– Identify additional security products and solutions
© 2002 Protiviti Inc. | 19
Develop Security Program
Security Policies
– Forms the basis or foundation for the security framework (i.e. people, process, technology)
– Communicates management’s business intent and formulates consensus throughout the organization
– Communicates to stakeholders that company management understands their duty
– Choose a policy structure that is appropriate given your size and company culture
– Delineate responsibilities and expected behavior of all individuals who access the organization’s systems.
– Suggest ways to increase security policy awareness throughout the organization
© 2002 Protiviti Inc. | 20
• Process - The human element in a security program
• Applications - The business software providing access to data
• Data Management - Backend databases housing data
• Platform - Operating systems and hardware supporting applications
• Network - Access to applications and network elements
• Physical - Access to facilities and physical elements
Strategies and policies ensure that business risks are effectively managed and communicated to relevant parties
Processes and controls should be in place to detect and respond to security alerts and events
Technical architectures and solutions should be designed and operated to provide effective solutions to security threats
Changes to the technical environment should not create weaknesses in the security architecture
Develop Security Program
Information Security FrameworkSM (ISF)Our approach to managing security risk uses Protiviti’s proprietary Information Security FrameworkSM (ISF). The framework is based on the simple concept of balance: that information security risk management techniques should create a balance between the cost and nature of controls implemented and the benefit of risks assessed and controlled.
© 2002 Protiviti Inc. | 21
Summary
© 2002 Protiviti Inc. | 22
Summary
Security is Complex!
Governance = Accountability
Security is a Process
Enlist Senior Management Support
Define Security Objectives
Create Security Strategy or Vision
Develop Tactical Security Program
People, Process and Technology
Security Policies and Awareness
© 2002 Protiviti Inc. | 23
Introducing Protiviti: Who we are
We are a leading provider of completely independent business and technology risk consulting and internal audit services
© 2002 Protiviti Inc. | 24
Business facts
Protiviti has offices in 25 major U.S. markets, with more than 750 experienced professionals.
We specialize in helping clients identify, measure and manage operational and technology-related risks within their industries and throughout their systems and processes.
Our fields of specialization within Technology Risk Management include:
– Security and Privacy
– Business Systems Control and Effectiveness
– disaster recovery / Disaster Recovery
– Information Systems Testing
– Reliability and Performance
– IT Asset Management
– Project Management
– Change Management
– IT Optimization
• We are a subsidiary of Robert Half International Inc., the world’s leading specialized staffing and consulting services firm, with 2001 revenues of $2.5 billion. Our parent company was named one of “America’s Most Admired Companies” by Fortune magazine for fourth straight year. Also, RHI has featured on Forbes Platinum 400 list of the best big companies in America, also for the fourth consecutive year.
For more information, visit our website at www.protiviti.com
© 2002 Protiviti Inc. | 25
Joseph Burkard, CISA, CISSP
Background
Joe is a Senior Manager in Protiviti’s Milwaukee office. He has over seven years experience in information technology, the last three with Andersen prior to Protiviti. He has been an IS security and risk consultant, network engineer and system administrator.
He has developed security architecture and methodologies, performed numerous security related risk assessment audits and has managed system installation and application integration projects.
He is a Certified Information Systems Auditor (CISA) and Certified Information Security Systems Professional (CISSP).
Relevant Experience
Information Security
Project Risk Management
IT Risk Assessment
Infrastructure Management
Internal and IS Audit
Representative Clients
Briggs & Stratton
Commercial Federal Bank
Kohler
Lands’ End
Manpower
Newell-Rubbermaid
PepsiAmericas
Roundy’s
SC Johnson
Sprint
United Health Group
Certifications
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
Fellow, Life Management Institute (FLMI)