© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep...

© 2002 Protiviti Inc. | 1

Securing your Corporate InfrastructureWhat is really needed to keep your assets protected

Joseph Burkard – CISA, CISSPOctober 3, 2002


Securing your Corporate Infrastructure

Management Dilemma — or — Technical Problem

Security Awareness

Corporate Governance

Firewall

DMZ

Layered Defense

Intrusion Detection

Authentication

Hacker

Digital Signatures

Denial of Service

Policies & Procedures

Anti-Virus

Physical Security

Non-Repudiation

Internal Controls

Integrity

Vulnerability Testing

Confidentiality

Accountability

Availability

Device Hardening

Litigation

Access Controls

Security Program

Security Organization

Risk Assessment

Wireless

VPN

Privacy

PKI

Worms

Tokens

Cyber Terrorism

ISO 17799

GLBA

HIPAA



Security is Complex!

Traditional Obstacles

– IT expenditure Only

– Security is an event driven industry

– Not same as other operational risks

– Won’t happen to us!


New Information Security Drivers

1. Significant Threats – 9/11/01

2. Recent Vulnerabilities – Code Red, Nimda

3. Increased Oversight – Enron, WorldCom


Increased Oversight and Compliance


Increased Oversight and Compliance

Governance Date Type Industry

1. HIPPA 8/1996 Security & Privacy Healthcare

2. GLB 5/2000 Security & Privacy Financial Services

3. IIA—NACD 2000 Security Governance Corporations

4. GISRA 6/2001 Security Standards Government

5. FERC 7/2002 Security Standards Energy

6. Sarbanes—Oxley 8/2002 Internal controls Publicly traded companies

7. NYSE & NASDAQ 8/2002 Internal controls Publicly traded companies

8. National Strategy 9/2002 Secure Cyberspace 5 Levels, Corp & Gov


Information Security Governance

IIA—NACD: What Directors Need to KnowHistorically boards and senior management looked at Security as a tactical IT issue. But the IIA, in collaboration with the NACD, AICPA and ISACA have recently challenged this perspective with key governance questions*:

1. Accountability

2. Awareness

3. Ethics

4. Inclusion

5. Resource Allocation

6. Thoroughness

7. Effectiveness

8. Ongoing Assessment

9. Compliance

10. Information Sharing

* Source: Information Security Governance: What Directors Need to Know. The Institute of Internal Auditors (IIA)



GISRA FERC—Standards for Electric Market Participants

Participants must have a basic Security Program covering governance, planning, prevention, operations, incident response, and business continuity.

Security standards for electric systems and physical security

These security standards shall become effective on January 1, 2004.

Failure to comply will result in loss of direct access to privileges to the electric market.

Senior management is responsible for the Security Program


Internal Controls

Sarbanes—Oxley Requires CEO and CFO to file internal

control report

Increases SEC oversight and penalties

CEO and CFO must certify quarterly or annual reports

NYSE & NASDAQ Corporate codes of conduct required

Internal audit function mandated

CEO certification required



Questions corporate boards, financial analysts and investors should ask:

1. Who is responsible for IT security, and to whom is he/she directly accountable?

2. Do the CEO and COO review IT security?

3. What internal IT security policies exist?

4. Are the security controls sufficient?

Recommendations:

Enterprise-wide corporate security councils

Regular independent IT security audits

Chief Information Security Officer (CISO)

IT continuity plans regularly reviewed

The National Strategy to Secure Cyberspace



What is really needed to keep your assets protected?


Develop Security Program

There are three goals for Security within an organization: Confidentiality

Integrity

Availability

These goals can be met with: Proper governance

A Security Program



Security LifecycleUse the Security Lifecycle to ensure realistic and enforceable policies, and prioritize security objectives.

– Security is a Process

– Security requires a full enterprise perspective

– The Security Lifecycle provides a framework

– Security Policies, Standards, Procedures and Metrics form the core of a Security Program

SNCi Guide to Lifecycle SecurityTM



1. Enlist Senior Management Support

2. Define Security Objectives

3. Create Security Strategy or Vision

4. Develop Tactical Security Program



Senior Management Commitment

– An acknowledgement of the importance of the computing resources to the business model

– A statement of support for information security throughout the enterprise

– A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines



Security Strategy & PlanThe model to the right lays the groundwork for designing, implementing and maintaining a comprehensive security framework.

The strategy and plan encompass People, Process and Technology

Builds consensus among each of the stakeholders

The elements of Knowledge Sharing, Best Practices, Metrics, Methodologies, and Skill Sets provide the groundwork for implementing a security framework.

– The biggest issue is the lack of a comprehensive enterprise security strategy

Best Practices

Metrics/ Measures Methodology

Sharing

Strategy & Plan

Skills Sets

Technology

Processes

People



Strategy The strategy is a high-level statement that defines the targeted state of Information Security

for the organization, and how the targeted state of security can be reached.

Must be specific to the organization

Plan

– Provides an overview of the security requirements and describes the controls

– Delineates responsibilities and expected behavior of all individuals

– Documents the structured process of planning adequate, cost-effective security protection for a system.



People

– Identify roles, responsibilities and accountability for all critical information assets

– Determine whether it is appropriately staffed and whether the structure is appropriate for support of business objectives

Process

– Define, document, communicate and practice Security Management functions

– Develop and standardize security policies

Technology

– Identify the technology the IT organization uses to protect access to its network resources

– Identify the metrics to measure the performance of Security Management

– Develop technical security standards

– Identify additional security products and solutions



Security Policies

– Forms the basis or foundation for the security framework (i.e. people, process, technology)

– Communicates management’s business intent and formulates consensus throughout the organization

– Communicates to stakeholders that company management understands their duty

– Choose a policy structure that is appropriate given your size and company culture

– Delineate responsibilities and expected behavior of all individuals who access the organization’s systems.

– Suggest ways to increase security policy awareness throughout the organization


• Process - The human element in a security program

• Applications - The business software providing access to data

• Data Management - Backend databases housing data

• Platform - Operating systems and hardware supporting applications

• Network - Access to applications and network elements

• Physical - Access to facilities and physical elements

Strategies and policies ensure that business risks are effectively managed and communicated to relevant parties

Processes and controls should be in place to detect and respond to security alerts and events

Technical architectures and solutions should be designed and operated to provide effective solutions to security threats

Changes to the technical environment should not create weaknesses in the security architecture


Information Security FrameworkSM (ISF)Our approach to managing security risk uses Protiviti’s proprietary Information Security FrameworkSM (ISF). The framework is based on the simple concept of balance: that information security risk management techniques should create a balance between the cost and nature of controls implemented and the benefit of risks assessed and controlled.


Summary


Summary

Security is Complex!

Governance = Accountability

Security is a Process

Enlist Senior Management Support

Define Security Objectives

Create Security Strategy or Vision

Develop Tactical Security Program

People, Process and Technology

Security Policies and Awareness


Introducing Protiviti: Who we are

We are a leading provider of completely independent business and technology risk consulting and internal audit services


Business facts

Protiviti has offices in 25 major U.S. markets, with more than 750 experienced professionals.

We specialize in helping clients identify, measure and manage operational and technology-related risks within their industries and throughout their systems and processes.

Our fields of specialization within Technology Risk Management include:

– Security and Privacy

– Business Systems Control and Effectiveness

– disaster recovery / Disaster Recovery

– Information Systems Testing

– Reliability and Performance

– IT Asset Management

– Project Management

– Change Management

– IT Optimization

• We are a subsidiary of Robert Half International Inc., the world’s leading specialized staffing and consulting services firm, with 2001 revenues of $2.5 billion. Our parent company was named one of “America’s Most Admired Companies” by Fortune magazine for fourth straight year. Also, RHI has featured on Forbes Platinum 400 list of the best big companies in America, also for the fourth consecutive year.

For more information, visit our website at www.protiviti.com


Joseph Burkard, CISA, CISSP

Background

Joe is a Senior Manager in Protiviti’s Milwaukee office. He has over seven years experience in information technology, the last three with Andersen prior to Protiviti. He has been an IS security and risk consultant, network engineer and system administrator.

He has developed security architecture and methodologies, performed numerous security related risk assessment audits and has managed system installation and application integration projects.

He is a Certified Information Systems Auditor (CISA) and Certified Information Security Systems Professional (CISSP).

Relevant Experience

Information Security

Project Risk Management

IT Risk Assessment

Infrastructure Management

Internal and IS Audit

Representative Clients

Briggs & Stratton

Commercial Federal Bank

Kohler

Lands’ End

Manpower

Newell-Rubbermaid

PepsiAmericas

Roundy’s

SC Johnson

Sprint

United Health Group

Certifications

Certified Information Systems Auditor (CISA)

Certified Information Systems Security Professional (CISSP)

Fellow, Life Management Institute (FLMI)

© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep...

Documents

Transcript of © 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep...