Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft...
-
Upload
brent-rice -
Category
Documents
-
view
220 -
download
6
description
Transcript of Culture Clash: Law, Business and Technology Mitch Dembin Chief Security Advisor (US) Microsoft...
Culture Clash: Law, Culture Clash: Law, Business and TechnologyBusiness and Technology
Mitch DembinMitch DembinChief Security Advisor (US)Chief Security Advisor (US)Microsoft CorporationMicrosoft Corporation
How We Got HereHow We Got HereComputer OS, Apps and Internet Computer OS, Apps and Internet Protocols not designed for Protocols not designed for securitysecurityCriminalsCriminals
Malicious HackersMalicious HackersCorrupt InsidersCorrupt InsidersVirus/Worm WritersVirus/Worm Writers
PublicityPublicityPrimarily Website DefacementsPrimarily Website DefacementsIdentity Theft Identity Theft
What We DidWhat We DidPanic - Haphazard Frenzied Reaction to Panic - Haphazard Frenzied Reaction to Security IncidentsSecurity IncidentsPerimeter ProtectionPerimeter ProtectionPushed Data Security to IT Pushed Data Security to IT Departments without funding/training Departments without funding/training or understanding of special skills or understanding of special skills requiredrequiredAllowed development of one-off Allowed development of one-off security solutions throughout security solutions throughout enterpriseenterprise
ResultsResultsSilosSilos
By acquisition, design or reaction to a By acquisition, design or reaction to a security eventsecurity event
Little attention to security architecture, Little attention to security architecture, writing secure code, strategic security writing secure code, strategic security planningplanningSome progress in infrastructure Some progress in infrastructure protection leading to attacks up the protection leading to attacks up the stackstack
Consequences Consequences Here come the lawyersHere come the lawyersEEA, HIPAA, GLB, SarbanesEEA, HIPAA, GLB, SarbanesCommon Thread:Common Thread:
ReasonablenessReasonablenessAppropriatenessAppropriateness
Interpreted by lawyers after the factInterpreted by lawyers after the factAnd, on their heels, come the dreaded And, on their heels, come the dreaded AUDITORSAUDITORS
Compliance – A Partial LandscapeCompliance – A Partial Landscape
COMPLIANCECOMPLIANCE
Sarbanes-OxleySarbanes-OxleyFiscal accountability for Fiscal accountability for
all public companiesall public companies
Basel II Basel II Capital assessment Capital assessment and reporting standards and reporting standards for global bankingfor global banking
USA PATRIOT ActUSA PATRIOT ActCustomer documentation Customer documentation requirements in order to requirements in order to “know your customer“know your customer””
DoD 5015.2 DoD 5015.2 and UK PROand UK PRO
Federal standards Federal standards of records managementof records management
Health Insurance Health Insurance Portability and Portability and
Accountability Act Accountability Act (HIPAA)(HIPAA)
NASD 3110NASD 3110 Written policies and Written policies and
procedures for review procedures for review of correspondence of correspondence
with the publicwith the public
All records related to All records related to securities transactions to be securities transactions to be
maintained for 3 yearsmaintained for 3 years
Gramm-Leach Bliley Gramm-Leach Bliley Act (GLBA)Act (GLBA)
Privacy of financial Privacy of financial informationinformation
Right to carry insurance Right to carry insurance between job; privacy of between job; privacy of patient Informationpatient Information
SEC Rules SEC Rules 17a-3 & 17a-417a-3 & 17a-4
Source: Microsoft Compliance Summit; October 2003
The PlayersThe PlayersBusiness Decision MakersBusiness Decision Makers
Language = Brand Protection, Competitive Language = Brand Protection, Competitive Advantage, Value and ROIAdvantage, Value and ROI
IT SecurityIT SecurityLanguage = TechnologyLanguage = Technology
LawyersLawyersLanguage = ReasonablenessLanguage = Reasonableness
AuditorsAuditorsLanguage = ChecklistsLanguage = Checklists
Guiding Principle No. 1Guiding Principle No. 1It is really difficult to make predictions, It is really difficult to make predictions, especially about the future (Y. Berra)especially about the future (Y. Berra)
Problem 1: The SiloProblem 1: The SiloAssumptions:Assumptions:Different Data of relatively equal Different Data of relatively equal importanceimportanceWith different security solutions With different security solutions created, implemented and managed by created, implemented and managed by different technology, people and different technology, people and processesprocessesOf demonstrably different effectivenessOf demonstrably different effectiveness
Problem 1: ContinuedProblem 1: ContinuedData in less secure silo compromisedData in less secure silo compromisedHow do you demonstrate to How do you demonstrate to lawyers/auditors/regulators/shareholders lawyers/auditors/regulators/shareholders that protection of the data was that protection of the data was reasonable/adequate when better reasonable/adequate when better solutions were employed for equally solutions were employed for equally important data elsewhere in the important data elsewhere in the enterprise?enterprise?
Problem 2: Emerging Problem 2: Emerging TechnologiesTechnologies
Multiple Factor AuthenticationMultiple Factor AuthenticationRights ManagementRights ManagementNetwork SegmentationNetwork Segmentation
Where We Need To GoWhere We Need To GoEnterprise-wide security planEnterprise-wide security plan
Combat silosCombat silosPeople, Process & TechnologyPeople, Process & Technology
Dissemination of best practicesDissemination of best practicesEmergency and Incident ResponseEmergency and Incident ResponseCommon LanguageCommon Language
Common Ground?Common Ground?Risk AssessmentRisk AssessmentRisk MitigationRisk MitigationRisk ManagementRisk Management
Guiding Principle No. 2Guiding Principle No. 2
In theory, there is no difference In theory, there is no difference between theory and practice. In between theory and practice. In practice, there is.practice, there is.
Y. BerraY. Berra
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.