June 13 - 15, 2010February 27, 2010

1

Enterprise Computing Community

Information Security Industry View

Linda BetzIBM Director IT Policy and Information Security

June 13 - 15, 2010February 27, 2010

2

Enterprise Computing Community

• Challenges in Enterprise IT Security Today

•Options to address IT security challenges

Agenda

June 13 - 15, 2010February 27, 2010

3

Enterprise Computing Community

3

*Ponemon Institute, LLC; 2007 Annual Study: U.S. Cost of a Data Breach

Lost laptop

or other

device 49%

Undisclosed 2%

Malicious Code 4%Hacked systems 5%

Electronic backup 7%

Malicious

insider 9%

Paper

Records 9%

Third party or

outsourcer 16%

Primary Cause of data breach “Security is evolving from the traditional, perimeter-centric model of protecting

infrastructure to a data-centric model that protects information”

“…according to Gartner, insider threats are responsible for about 70% of security

breaches” Pervasive Security in a Connected World, Wachovia, April 2007

Gartner estimates a breach of customer information can cost a company from $50 to $1,000 per customer record depending on the number of accounts impacted. Typical costs include:

Brand reputation Lost customers Loss of revenue

Litigation and regulatory fines drive the numbers even higher

Audit Fees Call Center expenses Notification costs

As the risks expand and the cost of associated losses increase, data protection is top of mind

June 13 - 15, 2010February 27, 2010

4

Enterprise Computing Community

• Global Employees

– Creating infrastructure to provide folks access to data, but controlling access to key data

– Wanting to work from anywhere on any device

– Blurring of lines between personal and business activities

– Global resourcing

• Financial challenges & Global competition

• Global business partners

– Allowing controlled access to data by 3rd parties

• Concern about protecting client data, company intellectual property, & regulated data

• World wide regulations about handling data– Cross boarder data flow, Personal information, government data

• Enabling business

• Increased sophistication of hackers

Challenges of Enterprise Security Today

June 13 - 15, 2010February 27, 2010

5

Enterprise Computing Community

Major Employee Sites

Customer Fulfillment

Manufacturing

Employee Service Centers

IBM Research Centers

IBM Internal Data Centers

400,000 employees

Approx. 200,000 contractors

$102 B revenue in 2009

IBM’s Global Operations – A Challenge to secure

June 13 - 15, 2010February 27, 2010

6

Enterprise Computing Community

• Risk Assessments– Communication mechanism

– Prioritization

– Acceptance of residual risk

• Policies– Centralized or Decentralized

– IT, employee, 3rd party

• Technical Solutions– Layers of defense

– Preventative (ex: DLP)

– Educational (ex: DLP)

• Compliance Programs– Self testing

– Internal audit

– External audit

– Tools to automatically test

• Security Awareness & Training

• Crisis Management Program– Ability to move work

– Loss of customer data

– Loss of regulated data

• Penetration testing

Variety of options to address security challenges

June 13 - 15, 2010February 27, 2010

7

Enterprise Computing Community

Network SecurityArchitecture

Threat EvaluationIncident Mgt.

Malware Mitigation

Identity Mgt &Use What We Sell

Application VulnerabilityScanning

2000 2002 2004 2006 2008 2010 2012

SPI Protection

Sco

pe o

f P

rote

ctio

n

IBM IT Security Transformations

June 13 - 15, 2010February 27, 2010

8

Enterprise Computing Community

• Corporate Instruction: "Information Technology Security”– Infrastructure security standards– Employee security standards– Third-party security

and privacy standards

Vital business process standard

Data classification standard

CIO IT security directives

June 13 - 15, 2010February 27, 2010

9

Enterprise Computing Community

• Chief information security officer• Physical security• Chief privacy officer• Chief risk officer• Procurement• Legal• Marketing• Human resources• Corporate audit• Third parties and vendors

Security takes a team

June 13 - 15, 2010February 27, 2010

10

Enterprise Computing Community

10

Personal

Firewall

HIPS

System Policy

Processes

Procedures

Local Local

Network Network

ConnectionsConnections

AndAnd

FirewallsFirewalls

Campus IPSCampus IPS

Email

Server

Antivirus

Email

Gateway

Antivirus

WAN Firewall

Router ACLs

Internet Gateway IPS

Infrastructure

Policy

Processes

Procedures

Antivirus

System

Configuration

Current

Consistent

Compliant

Defense in Depth for Blended Threat mitigation

June 13 - 15, 2010February 27, 2010

11

Enterprise Computing Community

Likelihood of Event Occurring(in next 12 months)

Imp

act

of

Even

t

Unlikely Likely

Low

High

Highest RiskExposure

Possible

Medium

Lowest RiskExposure

AA

Impact of Event

• Loss of revenue

• Increased cost

• Brand reputation negative impact

• Loss of assets

• Loss of use of infrastructure

Likelihood of Event

• How likely is the event in the next 12 months.

AB

AC

Risk Assessment Approach

June 13 - 15, 2010February 27, 2010

12

Enterprise Computing Community

• Hard drive password

• Screen lock

• Encrypted databases

• Anti-virus with automatic updates

• Firewall configuration

• Limit peer-to-peer file sharing

• Password rules

• Windows service pack level

Scans for security compliance of all Microsoft® Windows® and Linux® end user PCs

Workstation security tool

June 13 - 15, 2010February 27, 2010

13

Enterprise Computing Community

Security and data protection must always be top-of-mind.

Reminders and tips shared with entire workforce.

Corporate-wide messaging created umbrella for unit- and geo-specific initiatives.

Employee Education

June 13 - 15, 2010February 27, 2010

14

Enterprise Computing Community

Thanks!Linda Betz

Director, IBM IT Policy and Information Securitylnbetz@us.ibm.com

June 13 - 15, 2010February 27, 2010

15

Enterprise Computing Community

• IBM and the IBM logo are registered trademarks, and other company, product or service names may be trademarks or service marks of International Business Machines Corporation in the United States, other countries, or both.

• Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

• Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

• Other company, product or service names may be trademarks or service marks of others.

• References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

Trademarks and notes