Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated...
-
Upload
darren-hoover -
Category
Documents
-
view
221 -
download
2
Transcript of Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated...
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Carolyn Burke, MA, CISSP, CISM
CEO, Integrity Incorporated
Mitigate Risk
March 23, 2004, 2pm
2Copyright 2004 Integrity Incorporated
Things we should go over Background Information
Identifying Risks
Relationship between Privacy & Security
What Causes Security & Privacy Risks
Using a Risk Management Approach
Risk and Vulnerability Assessment
Protecting Privacy & Security
Security & Privacy Management Capabilities Maturity Model
Case Study!
3Copyright 2004 Integrity Incorporated
But first, how mature do you think you are?
• From 1 to 5, rate yourself:• on policy, process & procedures • on privacy & security• on technology
12
34
5
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Identifying Risks What is at Risk?
Assets of the organization include– Secrets
– $$
– Time, effort
– People
5Copyright 2004 Integrity Incorporated
What else is at Risk?
– Public trust in the organization• PR risk
• May impede ability of the organization to operate effectively
– Operational capabilities of the organization• Can be disrupted by unauthorized system modifications
• Can be disrupted by Denial of Service and Distributed Denial of Service attacks
6Copyright 2004 Integrity Incorporated
And still more
– Your clients• Privacy of clients’ personal information
• Legally protected (legislation)
• Contractually protected (policy, contract)
• What information must be protected?
– Accuracy of clients’ personal information• Legal requirements
• Operational necessity
7Copyright 2004 Integrity Incorporated
Identifying Risks
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
integrity availability
confidentiality
C
I Asecurity
The Relationship between Privacy & Security
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
•Technical vulnerabilities•Fraud•Operational issues•The bad guys
What Causes Security & Privacy Risks
15Copyright 2004 Integrity Incorporated
Technical vulnerabilities• Technical faults
• Software bugs, incorrect documentation
• Misconfiguration – software, servers, firewalls / security systems, routers
– various other network elements
• Hardware failure– lack of redundancy
– poor maintenance schedule
16Copyright 2004 Integrity Incorporated
More technical vulnerabilities
• Poor technical architecture• Lack of
– appropriate perimeter defenses
– intrusion detection systems
– adequate access controls
– adequate authentication systems
– adequate authorization controls
17Copyright 2004 Integrity Incorporated
Fraud
• Intentional misrepresentation• By clients
• By staff
• By company executives
• External parties misrepresenting the company
18Copyright 2004 Integrity Incorporated
– Insufficient checks & balances • peer review
• periodic internal review
• external audit
– Human error
– Faulty procedures
– Undocumented or missing procedures
– Lack of standardization
Operational issues
Do you have: a security awareness program a readable security policy an incident response plan
19Copyright 2004 Integrity Incorporated
– Lack of a clear policy framework
– Poor real-time handling of security incidents
– Lack of privacy awareness among all staff
– Lack of security awareness among all staff
– Extreme shortage of security skills among IT staff
More operational issues
Do you have: a business continuity plan a disaster recovery plan a backup and recovery system
20Copyright 2004 Integrity Incorporated
Bad guys
– Amateur hackers– Well-intentioned researchers– Malicious professionals– Financially motivated professionals (your loss,
their gain)
21Copyright 2004 Integrity Incorporated
What Causes Security & Privacy Risks
What high-level approach does your organization use today to address security & privacy issues?
• How effective is it?
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
The Risk Management Approach to Security &
Privacy Strategy
You can’t eliminate 100% of risks…
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
The Risk Management Approach to Security &
Privacy Strategy
… but you can develop a risk management framework
which...
24Copyright 2004 Integrity Incorporated
– takes a strategic approach– provides a disciplined cost-benefit framework– establishes clear high-level policies to guide
tactical decision-making– provides detailed processes & procedures
A Risk Management Framework
25Copyright 2004 Integrity Incorporated
– specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks
– sets technical standards– justifies security & privacy expenditures on
both an economic & a legislative basis
A Risk Management Framework
26Copyright 2004 Integrity Incorporated
Driven by risk analysis– Types of risks X Probabilities of risk X Costs of losses
– Types of risk mitigation - impact on probabilities and losses
High-level security & privacy mandate - policies!Accountability in all risk-related activitiesSuccess factors
– Continuous Improvement
– Dynamic response to new threats
The Risk Management Approach: Key Components
27Copyright 2004 Integrity Incorporated
Continuous Security Framework
Okay, this is for the CSO.
28Copyright 2004 Integrity Incorporated
flow
of
controlflow of knowledge
verific
atio
n
Continuous Security Framework
29Copyright 2004 Integrity Incorporated
Metrics & Continuous Improvement
Continuous Security Framework
30Copyright 2004 Integrity Incorporated
Continuous Security Framework
31Copyright 2004 Integrity Incorporated
The Risk Management Approach
to Security & Privacy StrategyMap out the high-level steps your
organization needs to take to use a risk-management approach to privacy and security.
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Risk and Vulnerability Assessment
Risk vs. VulnerabilityRisk is economic & legal
Vulnerability is technical & procedural
33Copyright 2004 Integrity Incorporated
Quantifying risk
Economic Risk ($) =
Types of risks Probabilities of risk (%) Costs of losses ($)
34Copyright 2004 Integrity Incorporated
Assessing vulnerability
– Technical• Attack & Penetration Testing
• Network Security Review
– Procedural• Privacy Impact Assessment
• Policy Audit
• Processes & Procedures Audit
35Copyright 2004 Integrity Incorporated
Risk and Vulnerability Assessment
Estimate the outcomes which would result if your organization were to undergo:– A thorough Attack & Penetration test?
– A thorough Network Security Review?
– A thorough Privacy Policies Audit?
– A thorough Operational Security (Processes & Procedures) Audit?
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Protecting Privacy & Security
Technology solutions Procedural solutions
37Copyright 2004 Integrity Incorporated
Technology solutions
– Firewalls privacy, integrity, authentication– Encryption privacy
• Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.
38Copyright 2004 Integrity Incorporated
Technology solutions
– Passwords authentication• Risks: reusable passwords, plaintext protocols
– Tokens authentication– Certificates authentication– Intrusion Detection Systems / IDS
integrity, privacy
39Copyright 2004 Integrity Incorporated
Technology solutions
– Digital signatures integrity, authentication, non-repudiation
– PKI privacy, authentication, integrity, non-repudiation
– PMI authorization, privacy, authentication, integrity
40Copyright 2004 Integrity Incorporated
Procedural solutions
– “Need to know” (principle of least privilege) privacy
– Change controls privacy, authentication, integrity, non-repudiation
41Copyright 2004 Integrity Incorporated
Procedural solutions
– Audit processes increased assurance re. all factors
– Technical standardization privacy, authentication, integrity, non-repudiation
42Copyright 2004 Integrity Incorporated
Protecting Privacy & Security
• What are the primary methods (procedural / technological) used by your organization to:– Protect privacy
– Perform authentication
– Ensure non-repudiation for online transactions
– Maintain data and systems integrity
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Security & Privacy Management Capabilities
Maturity Model (TM)
44Copyright 2004 Integrity Incorporated
– Measuring success using a baseline• Proprietary, standardized
• Based on CERT’s Systems Security Engineering Capability Maturity Model
– Provides maturity metrics on high-level organizational security and privacy capabilities
Security & Privacy Management Capabilities
Maturity Model (TM)
45Copyright 2004 Integrity Incorporated
– Organization handles Security & Privacy issues informally
– Organization does not have documented Security & Privacy policies
SPM-CMM(TM) Level 1
1
46Copyright 2004 Integrity Incorporated
– Organization has documented Security & Privacy policies
– Organization has assigned resources to plan Security & Privacy initiatives
– Effective training programs re. Security & Privacy
– Organization has effective processes to verify compliance with Security & Privacy policies
2
SPM-CMM(TM) Level 2
47Copyright 2004 Integrity Incorporated
– Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards)
– Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements
3
SPM-CMM(TM) Level 3
48Copyright 2004 Integrity Incorporated
4
– Organization has measurable, quantitative Security & Privacy goals
– Organization tracks objective performance relative to Security & Privacy goals
– Strong individual accountability
SPM-CMM(TM) Level 4
49Copyright 2004 Integrity Incorporated
5
– Organization has an effective Continuous Improvement program for Security & Privacy
– Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback
SPM-CMM(TM) Level 5
50Copyright 2004 Integrity Incorporated
Security & Privacy Management Capabilities
Maturity Model (TM)
5
1
51Copyright 2004 Integrity Incorporated
• Important considerations:
– What is the impact of moving to the next maturity level?
– What changes to technologies, processes, and policy would you need to make?
Security & Privacy Management Capabilities
Maturity Model (TM)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Long-Distance Health Care / Privacy
•Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs
•Cost effective communication required - a private network using internet technologies
•Maintain privacy - information shared between organizations, across borders
•Security technology, policy reviews
•Privacy policies of all organizations amalgamated
•Most stringent policy had to apply to all to ensure that all policies were met
53Copyright 2004 Integrity Incorporated
SPM-CMM(TM) Level 1 Level 2
Results
• Policy review for all organizations
• Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy
• Training to properly handle exchange of information - varying legislative jurisdictions
Services
• Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Where do you rank your organization on the SPM-
CMM(TM)?
For security? For privacy? Overall?
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Thank you!!!!
Carolyn Burke, MA, CISSP, CISM
CEO, Integrity Incorporated
www.integrityincorporated.com/subscribe.aspx
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
www.integrityincorporated.com/subscribe.aspx
Carolyn Burke, MA, CISSP, CISM
CEO, Integrity Incorporated
Mitigate Risk
March 23, 2004, 2pm