Risk, regulation and data protection
-
Upload
shahar-geiger-maor -
Category
Technology
-
view
1.007 -
download
0
description
Transcript of Risk, regulation and data protection
![Page 1: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/1.jpg)
Risk, Regulations and Data Protection Shahar Geiger Maor, Senior Analyst
Scan me to your contacts:
www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
![Page 2: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/2.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
What is Risk?
![Page 3: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/3.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
Risk Management…
3
• Risk management is present in all aspects of life
• It is about the everyday trade-off between an expected reward and a
potential danger
• It is universal, in the sense - it refers to human behaviour in the
decision making process
![Page 4: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/4.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
No
Risk…
No
Gain!
![Page 5: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/5.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5 5
Benefits of Risk Management
Better service
delivery
Supports strategic
And
Business planning
More efficient
use of
resources
Quick grasp
of new
opportunities
Reassures
stakeholders
Promotes
continual
improvement Helps focus
internal audit
programme
increased
certainty
and fewer
surprises
Potential benefits
![Page 6: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/6.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
• ERM is an ongoing process
• ERM is an Integral part of how an organization operates
• ERM applies to all organizations, not just financial organizations.
• Risk applies broadly to all things threatening the achievement of
organizational objectives
• Risk is not limited to threats, but also refers to opportunities.
• The goal of an organization is not “risk mitigation”, but seeking an
appropriate “risk-return position ”.
![Page 7: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/7.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
Regulations –The Olympic Minimum Syndrome
![Page 8: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/8.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
When Regulation is a Good Idea…
![Page 9: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/9.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
SOX
![Page 10: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/10.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Ultimate Liability
Countrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain
![Page 11: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/11.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Security Echo-System: Key Roles
Senior Management
Custodian
Users Data
owners
CISO
![Page 12: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/12.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
PCI-DSS: Israeli Market and Challenges
Network DSL Router
PO
S Se
rver
PO
S Te
rmin
als
Requirement 1
Requirement 2
Requirement 3
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Polic
ies
Requirement 8
Requirement 9
Requirement 10
Requirement 11
3rd Party
Scan Vendor
Requirement 12
PIN
Pad
s
![Page 13: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/13.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
Information Security “Threatscape”
![Page 14: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/14.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
Social Engineering
![Page 15: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/15.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
Social Engineering
Preventing social engineering: • Verify identity • Do not give out passwords • Do not give out employee information • Do not follow commands from unverified
sources • Do not distribute dial-in phone numbers to
any computer system except to valid users • Do not participate in telephone surveys
Reacting to social engineering: • Use Caller ID to document phone number • Take detailed notes • Get person’s name/position • Report incidents
![Page 16: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/16.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Phishing
• A social engineering scam • A scam that uses email or websites to deceive you
into disclosing sensitive information • How does it work?
– You receive an email or pop-up message – The message usually says that you need to update or
validate your account information – It might threaten some dire consequence if you don’t
respond – The message directs you to a bogus website – You type sensitive info….and that’s it…
![Page 17: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/17.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
Technologies Categorization 2010\2011
Using Implementing Looking
Mar
ket
Cu
rio
sity
Market Maturity
Major
Changes
IT Project
Cyber Warfare
Size of figure =
complexity/
cost of project
Mobile Sec
DLP \IRM
“Social” Security
Cloud Security
Network Security
Application Security
Endpoint Security
Security
Management
Source: STKI
Data Protection
![Page 18: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/18.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
Cyber-Warfare
http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/
![Page 19: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/19.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
Mobile sec
![Page 20: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/20.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
“Social Security”
![Page 21: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/21.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
Data Centric Approach
Build a wall – “perimeter security”
“Business of Security” – Security is built into the business process
![Page 22: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/22.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Data Security Domain
Source: Securosis
![Page 23: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/23.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
EPS/mobile 14%
Market/Trends 13%
Access/Authentication 12%
Network Sec 12%
GW 10%
DCS 9%
DB/DC SEC 9%
Vendor/Product 8%
Regulations 7%
SIEM/SOC 3%
Miscellaneous 2%
Encryption 1%
Source: STKI
STKI Index-2010\2011 –Top Queries to STKI
![Page 24: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/24.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
Internal vs. External Human Threats
![Page 25: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/25.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
Leakage Mitigation in Israel
Awareness\Methodology
IRM\Vaulting\Mail Protection
DB protection
GW protection
Encryption
Device Control
Endpoint DLP
![Page 26: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/26.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Protect your data
• Access Management • Entitlement Management • Network Segregation
• Server/Endpoint Hardening • USB/Media
Encryption/Device Control • Database Encryption • DAM • Storage Encryption • Application Encryption • Email Filtering
• Data Loss Prevention- Network
• Data Loss Prevention- Endpoint
• Data Loss Prevention- Storage
• Full Drive Encryption • USB/Media
Encryption/Device Control • Enterprise Digital Rights
Management • Data Masking • Entitlement Management
![Page 27: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/27.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
Top Insights
• Most organizations still rely heavily on “traditional” security controls like system hardening, email filtering, access management, and network segregation to protect data.
• Most organizations see unstructured data storage as their main security concern
• Most organizations must meet at least 1 regulatory or contractual compliance requirement.
![Page 28: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/28.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
Top Insights –con…
• Many organizations tend “not to touch” their prod DB.
Using this technology
52%
Evaluating\Not using 48%
DB protection: Estimated Technology Penetration
![Page 29: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/29.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
Identity and Access Management
![Page 30: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/30.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
Identity and Access Management
this is where most activity occurs
– Leper ColonyA keep away!!!
![Page 31: Risk, regulation and data protection](https://reader033.fdocuments.us/reader033/viewer/2022051313/548120045806b5c4108b4651/html5/thumbnails/31.jpg)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 31
Thank you! Download this presentation: