Infosec russia cnemeth_v1.2.ppt
-
Upload
christophe-nemeth-cissp-cism -
Category
Technology
-
view
278 -
download
0
description
Transcript of Infosec russia cnemeth_v1.2.ppt
Information Security!New paradigm!
Christophe Nemeth INOVEMENT Group +41 79 477 50 23
Agenda • Information Security Today
• Key Risks
• New Information Era
• New Information Security Paradigm
• From Technical to Organizational
• A Business Information Security Strategy
• Questions
Information Security Today • Castle Analogy
• Technical approach
• Operational
Key Risks • Key Security Risks
- Cyber Security
‣ Origin: Hacker
- Compliance
‣ Origin: Law & Regulations
- Continuity
‣ Origin: Major Outage
- Business Transformation
‣ Origin: Information Security
• Information Security Measures to
- Protect data
- Protect operations
- Protect reputation
- Protect revenue
New Information Era • Hyper-connected Era
• Boundaryless information flows across organizations
• A hardened perimeter security strategy is impossible to sustain and is fundamentally at odds with an agile business model.
• Entire value chains, from suppliers to customers, are electronically connected and collaborating as never before.
• The number of mobile workers is expected to reach 1.3 billion by 2015.
• Deperimeterization
Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html
New Information Security Concerns • New technologies bring new user behaviors:
- Cloud Computing
- Mobile Devices
- BYOD
- Social Media
New Information Security Concerns • Systemic approach, why ?
- Mobile means BYOD
- BYOD means Social Media
- Mobile/BYOD means Synchronization
- Synchronization means Cloud
• New technology adoption is an Entreprise wide approach
Mobile - BYOD • Find the right balance between openness and risk
management.
• Their devices, ... your data ?
• It blurs professional and private
- identities
- activities
- information
Mobile - BYOD • Key Rules
- Establish the rules and spread the word (Policies, Acceptable Use)
‣ Define boundaries
‣ Communicate the new rules
- Identify key legal aspects (Privacy)
- Register every device (Asset Management)
- Force use of common tools (Enforce)
- Incident response for loss or theft (Process)
Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html
Cloud
Cloud • In a recent Ponemon Institute report (2011), over 60% of surveyed
US and European cloud service providers said they were unsure if their cloud applications were sufficiently secured
• A majority of those cloud providers believed it was their customer’s responsibility to secure the cloud, not theirs.
• The majority of cloud providers admit they do not have dedicated security personnel
• most Cloud Service Providers do not have confidence that customers’ security requirements are being met.
Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html
Cloud • Most of security
technologies are not widely deployed.
Figures and content of this slide are from Ponemon Institute
Cloud • Key Rules
- Best Practices
‣ CSA: https://cloudsecurityalliance.org/
• Cloud Audit Tool
‣ COBIT - IT Control Objectives for Cloud Computing (193 pages)
- Broad Entreprise Approach
‣ Bring Business into decision process
- Governance (Data and Process)
‣ Purchasing (Finance)
‣ Risk Management
‣ Contract (Legal)
‣ Information Security (Information Security Policy)
Social Medias • Now, engaging in social media, inside and
outside of the company, is a strategic imperative.
• In a recent Ponemon Institute survey,
- nearly 70% of global respondents said that social media is now very important for achieving their business objectives
- 63% of respondents said that social media puts their organization at risk
- but only 29% admitted to having the necessary security controls to mitigate that threat
Figures and content of this slide are from Ponemon Institute
Social Medias • Key Rules
- Read term of use and privacy policies
- Be authentic
- Think before posting
- Respect other’s rights
- Be careful with connections
Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html
New Information Paradigm • More than 80% of executives surveyed in 2008 said they “occasionally” or “often” didn’t pursue innovative business opportunities because of information protection concerns.
• Questions ?
- Do we continue to live in a crisis response mode or do we adopt a proactive future risk management strategy ?
- Do we say “NO” constantly to business or do we help it to achieve their business objectives, making them aware of emerging information risks ?
Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html
To a New Security Role • Participate in Innovation
• Crisis response mode or proactive future risk management strategy ?
• From a responder’s mode to an influencer’s mode.
• Participate in systemic changes that span functions, including legal, business operations, finance, human resources and more.
• Adopt a wider view of information protection that extends beyond just security measures.
• Deal with future threats and the integration of new technologies related to the business.
From Technical to Business • It means from a “NO” attitude, due to lack of time, to a “YES”
approach, collaborating with the business.
• 5 functions in Information Security
- Define (Strategy, Innovation, Emerging Risks) - NEW! - Plan (Policy and Controls definition) - CISO
- Implement (Operations) - Head of Operations and Team
- Measure (Audit and Compliance) - Head of Audit
- Respond (Incident Response) - Head of Response Team
Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html
Information Security for Business • Define (Strategy, Innovation, Emerging Risks) – NEW!
- Collaboration with the business and innovation
- Help the business go faster, further.
- Don’t stop the train, open the roads.
- Extend the perimeter
- Business-centric security strategy