People that make IT secure
Does an IT auditor need SABSA?
David Fagan E-mail: [email protected] telephone: +31-6-51135488
SABSA = Sherwood Applied Business Security Architecture
People that make IT secure
Why SABSA?
» Setting the scene…
» SABSA: • Case study: Paul Kocher • Case study: Project 1426 • Case study: AEC
» Key messages…
People that make IT secure
Why SABSA?
» Setting the scene…
» SABSA: • Case study: Paul Kocher • Case study: Project 1426 • Case study: AEC
» Key messages…
People that make IT secure
1960s
Batch
1970s
Mul0-‐func0on
1980s
OLTP
1990s Personal Computer
Corporate computing in the 20th century…
People that make IT secure
Messaging ‘bus’
‘Front Office’ applications
‘Back Office’ applications Content Management Systems
‘End user’
Corporate computing in the 21st century…
People that make IT secure
Messaging ‘bus’
‘Front Office’ applications
‘Back Office’ applications Content Management Systems
‘End user’
Corporate computing in the 21st century…
People that make IT secure
‘Front Office’ applications
‘Back Office’ applications Content Management Systems
‘End user’
Business Services ‘bus’
Corporate computing in the 21st century…
People that make IT secure
‘Front Office’ applications
‘Back Office’ applications Content Management Systems
‘End user’
IaaS / PaaS / SaaS
Corporate computing in the 21st century…
People that make IT secure
Deg
ree
of Busi
nes
s Tr
ansf
orm
atio
n
Range of Potential Benefits
Low
H
igh
Low High
Localised Exploitation
Internal Integration
Business Process Redesign
Business Network Redesign
Business Scope Redefinition
Evolutionary Levels
Revolutionary Levels
Source: “The corporation of the 1990s: Information technology and organizational transformation” edited by Michael S. Scott Morton
20th / 21st century IT-induced reconfiguration…
People that make IT secure
A new World…
» 21st century technology: • Mobile computing • The Internet • Cloud Computing • Etc.
» 19th century protection: • Old laws • The ‘hardened’ perimeter
» Today’s generation has been raised on computers… • Hackers / Crackers / Phreakers
» Cyber crime: • No physical contact between
villain and victim
People that make IT secure
In the early days even forensics was easy!
Behold: My new forensics toolkit with real-time, on-line, access to information!
People that make IT secure
What if your assets were… …misused, disclosed, unavailable, modified, destroyed, stolen/copied?
» Money
» Data
» Intellectual property
» IT systems
» Documents / Information
» Corporate brand, image, and reputation
People that make IT secure
SABSA takes you back to basics: What is security actually for?
» Is your security designed to keep threats out?
» Or is your security designed to give legitimate users appropriate access quickly and with minimum fuss?
People that make IT secure
SABSA addresses ‘security’ .vs. ‘inconvenience’… …and the need to make security transparent to users
» High security = inconvenience
» Convenience = low security
» The challenge is to ensure appropriate security with maximum convenience: • Well balanced security policy • Meeting business demand • Conforming to the business
risk appetite
People that make IT secure
SABSA clarifies the building blocks for security…
» Physical access control • Based on identity and context
» Logical access control • Based on “need-to-know”
authorisation
» Guaranteeing: • Confidentiality • Integrity • Availability • Traceability (secure audit trails)
• Non-repudiation • Etc.
People that make IT secure
SABSA helps assess the threatscape: …internal, external, physical, logical
» What threat(s) are we trying to protect ourselves against? • Why?
» What countermeasures can we deploy? • What is their chance of success? • What is the cost of
implementation? • What is the cost of not doing
anything? – Likelihood of the threat becoming real? – Damage caused if it does?
People that make IT secure
SABSA helps define the right countermeasures: …internal, external, physical, logical
» Make intrusion more difficult: • The aim is to gain time
– No holes / “backdoors” – Onion ring security “shells”
» Make it easier to detect intrusion: • The aim is to catch the
intruders on their way in • To know what intruders did
(if they got in)
People that make IT secure
SABSA shows that standards are not enough!!!
» Most suggest what may be managed
» Few advise how to manage
» Almost all start with a custom analysis of risk-driven business requirements
» Some contain controls libraries
» Almost none are written from the an holistic and structured point of view
» Almost every organisation needs to adapt them to their specific business sector, culture, terminology, and national legislative and regulatory requirements
» To succeed we need an overarching framework and methodology that ties it all together to design, deliver, and support end-to-end secure processes
People that make IT secure
Why SABSA?
» Setting the scene…
» SABSA: • Case study: Paul Kocher • Case study: Project 1426 • Case study: AEC
» Key messages…
People that make IT secure
Case study: Paul Kocher Cryptography Research, Inc. (http://www.cryptography.com/)
Paul Kocher has gained an international reputation for his research and innovative designs in cryptography.
An active contributor to major conferences and leading security initiatives, Paul has designed numerous cryptographic applications and protocols which are successfully deployed in real world systems.
His accomplishments include discovering timing attacks and Differential Power Analysis (including techniques for preventing against these vulnerabilities), helping author the widely used SSL 3.0 standard, and leading the design of the record-breaking DES Key Search machine.
He has recently focused on developing anti-piracy technologies for securing digital content. Paul was elected to the National Academy of Engineering in 2009.
Paul founded Cryptography Research and leads the company as its President & Chief Scientist.
He previously held positions at RSA Security and was a founding member of Valicert, Inc. (now Tumbleweed).
He holds a B.S. degree from Stanford University.
People that make IT secure
Case study: Paul Kocher Cryptography Research, Inc. (http://www.cryptography.com/)
>95% chance < 48 hours
Cost of attack
Probab
ility
of su
cces
s H
igh
Low
High Low
Factor 1024-bit RSA key Reverse engineer
Coerce an employee
Try glitching the CPU
Test for known bugs
Check in all caches
People that make IT secure
Case study: Differential Power Analysis …simple power consumption @ microcode / CPU level
Source: Paul Kocher
People that make IT secure
Case study: Differential Power Analysis …get the soldering iron out and build a prototype
Source: Paul Kocher
People that make IT secure
Case study: Differential Power Analysis …simple power consumption @ algorithm level
Power trace of an RSA operation
Source: Paul Kocher
People that make IT secure
Case study: Differential Power Analysis …simple power consumption @ protocol / algorithm level
Source: Paul Kocher
Power trace of an RSA operation Zooming in on the multiply and reading off key bits
People that make IT secure
Steal expensive car Reverse engineer
Coerce an employee
Car jacking
>95% chance < 12 hours
Stealing keys
Complexity creates low hanging fruit… …stealing an expensive car
Cost of attack
Probab
ility
of su
cces
s H
igh
Low
High Low
People that make IT secure
Some wise words to remember…
“Insecurity appears as complexity increases…
…because our ability to understand elements of a system creates a false impression that we understand the system.”
Paul Kocher President & Chief Scientist
Cryptography Research, Inc.
People that make IT secure
The Jericho forum: the 11 guiding principles…
1. The scope and level of protection should be specific and appropriate to the asset at risk
2. Security mechanisms must be pervasive, simple, scalable, and easy to manage
3. Assume context at your peril!
4. Devices and applications must communicate using open, secure protocols
5. All devices must be capable of maintaining their security policy on a mistrusted network
6. All people, processes, and technology must have declared and transparent levels of trust for any transaction to take place
People that make IT secure
The Jericho forum: the 11 guiding principles…
7. Mutual trust assurance levels must be determinable
8. Authentication, authorisation, and accountability must interoperate/exchange outside your locus/area of control
9. Access to data should be controlled by the security attributes of the data itself
10. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges
11. By default data must be appropriately secured when stored, in transit, and in use
People that make IT secure
Why SABSA?
» Setting the scene…
» SABSA: • Case study: Paul Kocher • Case study: Project 1426 • Case study: AEC
» Key messages…
People that make IT secure
SABSA case study: Project 1426… …taking the risk out of same day money transfers
People that make IT secure
SABSA case study: Project 1426… …taking the risk out of same day money transfers
» The ‘bank’ already had a business process for ‘same day money transfer’ (SDMT):
• Providing services to corporate customers for them to make high value payments: – Typical payment size is several million Euros – Same day settlement
• Partly automated, partly manual processing
• Core server application on the Bank mainframe computer
• PC based payment workstations in customer offices – Branded as Business Online (BOL)
• Branch based terminals
• Group office based terminals for receipt and entry of faxed instructions
People that make IT secure
Project 1426 requirements… …from the boardroom
» Traceability: • Visible justification of controls based
on business case • Visible demonstration of completeness
of control set
» Transparent business driven process: • Repeatable • Consistent • Objective • Auditable
» Risk reporting (current status and forecasting): • Based on business defined security
performance goals by risk owners • Reports risks of missing performance
targets • Dashboard / scorecard compatibility • Granular drill-down from aggregated
scores • Real-time objective measurement
feeds • Forecasting by tracking trends
People that make IT secure
Risk mitigation strategy…
» Design and implement full end-to-end automation of the SDMT process, thus eliminating manual process steps and providing straight-through-processing
» Proceed in two phases • Project 1426 phase 1: Design and build SDMT terminal application • Project 1426 phase 2: Convert and integrate BOL
» Specify detailed business requirements for SDMT security using SABSA
» Design and build against the SABSA specification of requirements
» Retain Sherwood Associates Limited (SAL) to carry out an independent review of the SDMT high level design: • To ensure full two-way traceability between business requirements and the solution
architecture and design • To deliver a final security review report and a letter of assurance
People that make IT secure
The assignment:
• Part 1: To assist the Bank to create a set of business requirements for SDMT security and a traceable, auditable means to translate these into technical and process design criteria: – Business drivers – Business attributes – Measurement approaches, metrics
and performance targets – Perform a risk assessment against
the Business Attributes Profile – Specify control objectives and
security services
• The bank then worked with its own internal architecture and design team to develop a high level design for automating the system
• Part 2: Perform the detailed security review of the high level design: – Review all functional specification
and high level design documents for the project
– Review the risk assessment against the Business Attribute Profile for the project
– Review the security services required to mitigate all identified risks and meet the control objectives
– Identify all security services and their respective mechanisms in the project documentation
– Perform a gap analysis of security services and mechanisms
– Assist the bank architecture and design team to close the gaps
– Deliver a final review report and letter of assurance
People that make IT secure
Business Assets
Assess the business risk: …internal, external, physical, logical
Threat Vulnerability Impact
Likelihood
Business Risk
People that make IT secure
Prioritising the business risk: …define ‘likelihood’
Low Medium High
Med
ium
Hig
h Lo
w
Rare Unlikely Possible
Unlikely Possible Likely
Possible Likely Almost certain
Threat
Vu
lnera
bilit
y
People that make IT secure
Prioritising the business risk: …combine ‘likelihood’ with ‘impact’
Low Medium High
Poss
ible
Hig
h Lo
w
Negligible Risk
Acceptable Risk
Acceptable Risk
Acceptable Risk
Significant Risk
Significant Risk
Acceptable Risk
Significant Risk Critical Risk
Impact
Lik
eli
ho
od
People that make IT secure
Prioritising the business risk: …combine ‘likelihood’ with ‘impact’
Low Medium High
Poss
ible
Hig
h Lo
w
No action required
Monitor to ensure stability
Monitor to ensure stability
Monitor to ensure stability
Appropriate actions required
Appropriate actions required
Monitor to ensure stability
Appropriate actions required
Immediate actions required
Impact
Lik
eli
ho
od
People that make IT secure
Defining business risk appetite: …finally, setting key risk indicator (KRI) thresholds
Primary KRI threshold
Risk appetite for catastrophic events (1 in N years)
Impact
L
ikeli
ho
od
Secondary KRI threshold
People that make IT secure
Risk mitigation… …total costs
Level of control
Cost
Cost of Losses
Cost of Controls H
igh
Low
High Low
LEAN
DEMAND
People that make IT secure
Risk mitigation… …complexity and strategy
Level of control
Cost
Cost of Losses
Cost of Controls H
igh
Low
High Low
‘defence in depth’
‘bas
elin
e’
‘spec
ial tr
eatm
ents
’
People that make IT secure
Defence in depth: multi-tiered security policy…
Prediction
Deterrence
Prevention
Containment
Detection & Notification
Recovery / Restoration
Audit &
Ass
ura
nce
Colle
ctio
n o
f fo
rensi
c ev
iden
ce
Trac
king &
Tra
cing
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
High Low Severity of loss
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
High Low Severity of loss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
Severe losses Catastrophic losses
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
High Low Severity of loss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
Expected losses Unexpected losses
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
High Low Severity of loss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
Capital financing (balance sheet)
Transfer / Accept Operating expenses
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
High Low Severity of loss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
Operating expenses
Unexpected losses Expected losses
People that make IT secure
Prediction
Containment
Detection & Notification
Recovery / Restoration
Deterrence
Defence in depth: multi-tiered security policy…
Prevention
Audit &
Ass
ura
nce
Colle
ctio
n o
f fo
rensi
c ev
iden
ce
Trac
king &
Tra
cing
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
High Low Severity of loss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
Capital financing (balance sheet)
Unexpected losses Expected losses
People that make IT secure
Deterrence
Prevention
Defence in depth: multi-tiered security policy…
Prediction
Containment
Detection & Notification
Recovery / Restoration
Audit &
Ass
ura
nce
Colle
ctio
n o
f fo
rensi
c ev
iden
ce
Trac
king &
Tra
cing
People that make IT secure
Types of risk mitigation…
Hig
h Lo
w
Severity of loss
Freq
uen
cy o
f lo
ss
High Low Severity of loss
µ µ + σ µ + 2σ CI = 95%
µ + 3σ CI = 99%
µ + 4σ CI = 99.9%
Transfer / Accept
Unexpected losses Expected losses
People that make IT secure
Deterrence
Prevention
Containment
Detection & Notification
Defence in depth: multi-tiered security policy…
Prediction
Recovery / Restoration
Audit &
Ass
ura
nce
Colle
ctio
n o
f fo
rensi
c ev
iden
ce
Trac
king &
Tra
cing
People that make IT secure
Where do we start? SABSA appendix 2: Sample business drivers for security
Define Business Attribute
Example: The privacy of customer information should be protected in accordance with relevant privacy or ‘Data Protection’ legislation in each country where the bank operates, and so as to meet the reasonable expectations of the customers for privacy of their information. Unauthorised disclosure should be prevented and attempted unauthorised disclosures should be reported.
Example: Maintaining the privacy of personal and business information that is stored, processed and communicated by the bank’s systems Business Driver
Select Business Attribute(s) Example: Private
Define Metric Type Example: Hard metric based on the number of reported incidents involving unauthorised disclosure of customer information, including unsuccessful attempts
Define Measurement Approach Example: Measure the number of incidents per period and classify each incident by type and severity
Define Performance Target Example: Target 1: Set maximum number of allowable disclosures (= 0) Target 2: Set maximum elapsed time (in minutes) for an attempted incident to be reported Target 3: Set regular reporting cycle for summaries of incidents by type and severity
Collect, Report & Evaluate Metrics
Example: Number of actual disclosures Maximum, minimum and average reporting time for incidents Periodic summaries and analyses of incidents
Assess Risks and Define Control Objectives
Define Security Strategies
Design Security Services, Mechanisms and Components
People that make IT secure
Two-way traceability… …Business drivers to attributes
Business driver Supporting attributes BD1 Credible, Reputable BD8 Controlled, Governable
Access Controlled, Authenticated, Confidential, Identified, Private
BD17
People that make IT secure
Two-way traceability… …Attributes to business drivers
Private BD17 Informed BD5, BD30, BD31
Attribute Business driver
Non-repudiable BD3, BD4, BD13, BD14, BD19
Business Attributes
Management Attributes
User Attributes
Operational Attributes
Risk Management Attributes
Technical Strategy Attributes
Flexible / Adaptable
Scalable
Upgradeable Usable
Accessible
Cost-Effective
Efficient
Reliable
Inter-Operable
Trustworthy
Reputable
Business Strategy Attributes
Credible
Confident
Crime-Free
Insurable
Compliant
Confidential
Private
Controlled
Liability Managed
Admissible
Resolvable
Available
Legal / Regulatory Attributes
Enforceable Error-Free
Non-Repudiable
Accountable
Auditable
Traceable
Integrity-Assured
Assurable
Authorised
Governable
Business-Enabled
Protected
Independently Secure
Measured
Legacy-Sensitive
Migratable
Flexibly Secure
Productive
COTS / GOTS
Simple
Providing Investment Re-use
Supportable
Automated
Standards Compliant
Architecturally Open
Future-Proof
Capturing New Risks Multi-Sourced
Extendible
Maintainable
Consistent
Accurate
Current
Supported
Access-controlled
In our sole possession
Change-managed
Informed
Owned
Identified
Authenticated
Time-bound
Timely
Providing Good Stewardship and Custody
Assuring Honesty
Educated & Aware
Motivated
Recoverable
Duty Segregated
Detectable
Brand Enhancing
Competent
People that make IT secure
Case study: example metrics mapping…
Attribute Pr
ivat
e Business Driver
BD 19
Metric Type
Hard
Measurement Approach Performance Target
Reporting of all disclosure incidents, including number of incidents per period, severity and type of disclosure
Alerts of unauthorized access attempts, to be produced and delivered to IS Operations Manager and Business Owner within 15 minutes.
System to pass review by <insert name of Independent Legal and Forensic Authority> to a degree deemed acceptable by the Head of Group Legal, to prevent prosecution under Data Protection legislation
IS Department to detail the number, severity, and type of unauthorized access attempts to private data, and a monthly report to be produced and delivered to the IS Operations Manager and Business Owner.
Soft Review by independent legal and forensic authority
People that make IT secure
Case study: example metrics mapping…
Attribute
Non-r
epudia
ble
Business Driver
BD 19
Metric Type
Hard
Measurement Approach Performance Target
Exception report detailing all incidents of repudiation, produced and delivered to Business Owner for Validation within 15 minutes.
Audit trails recording the detail of all transaction based information required to provide proof and accountability, available to Business Owner on demand
Soft Independent audit and review with respect to the ability to prevent repudiations that cannot easily be resolved
Reporting of all incidents of unresolved repudiations, including number of incidents per period, severity and type of repudiation
System to pass audit and review by <insert name of Independent Authority> to a degree deemed acceptable by Head of Group Legal to prosecute or defend litigation actions.
People that make IT secure
Case study: example metrics mapping…
Attribute
Info
rmed
Business Driver
BD 19
Metric Type
Hard
Measurement Approach Performance Target
Awareness program delivery Adherence to quarterly awareness program plan produced by Business Operations Manager and agreed with Business Owner.
Monthly report on all customer feedback relating to level of awareness produced and delivered to Business Owner and Business Operations Manager.
Soft Focus groups or satisfaction surveys
Report from quarterly customer and non-customer focus groups delivered to Business Owner.
People that make IT secure
Metric mapping delivers traceability…
Business Requirements
Security Strategies
Security Services
Security Mechanisms
Security Tools & Products
Business Requirements
Security Strategies
Security Services
Security Mechanisms
Security Tools & Products
Are all my business requirements fulfilled?
This is costing us a lot of money.
Why do we need it?
People that make IT secure
Case study: performance reporting…
Attribute
Private
Informed
Alerts of unauthorized access attempts, to be produced and delivered to IS Operations Manager and Business Owner within 15 minutes.
System to pass review by <insert name of Independent Legal and Forensic Authority> to a degree deemed acceptable by the Head of Group Legal, to prevent prosecution under Data Protection legislation
IS Department to detail the number, severity, and type of unauthorized access attempts to private data, and a monthly report to be produced and delivered to the IS Operations Manager and Business Owner.
Performance Target
Adherence to quarterly awareness program plan produced by Business Operations Manager and agreed with Business Owner.
Monthly report on all customer feedback relating to level of awareness produced and delivered to Business Owner and Business Operations Manager.
Report from quarterly customer and non-customer focus groups delivered to Business Owner.
Performance Report
Business Attributes
Management Attributes
User Attributes
Operational Attributes
Risk Management Attributes
Technical Strategy Attributes
Flexible / Adaptable
Scalable
Upgradeable Usable
Accessible
Cost-Effective
Efficient
Reliable
Inter-Operable
Trustworthy
Reputable
Business Strategy Attributes
Credible
Confident
Crime-Free
Insurable
Compliant
Confidential
Private
Controlled
Liability Managed
Admissible
Resolvable
Available
Legal / Regulatory Attributes
Enforceable Error-Free
Non-Repudiable
Accountable
Auditable
Traceable
Integrity-Assured
Assurable
Authorised
Governable
Business-Enabled
Protected
Independently Secure
Measured
Legacy-Sensitive
Migratable
Flexibly Secure
Productive
COTS / GOTS
Simple
Providing Investment Re-use
Supportable
Automated
Standards Compliant
Architecturally Open
Future-Proof
Capturing New Risks Multi-Sourced
Extendible
Maintainable
Consistent
Accurate
Current
Supported
Access-controlled
In our sole possession
Change-managed
Informed
Owned
Identified
Authenticated
Time-bound
Timely
Providing Good Stewardship and Custody
Assuring Honesty
Educated & Aware
Motivated
Recoverable
Duty Segregated
Detectable
Brand Enhancing
Competent
Business Attributes
Management Attributes
User Attributes
Operational Attributes
Risk Management Attributes
Technical Strategy Attributes
Flexible / Adaptable
Scalable
Upgradeable Usable
Accessible
Cost-Effective
Efficient
Reliable
Inter-Operable
Trustworthy
Reputable
Business Strategy Attributes
Credible
Confident
Crime-Free
Insurable
Compliant
Confidential
Private
Controlled
Liability Managed
Admissible
Resolvable
Available
Legal / Regulatory Attributes
Enforceable Error-Free
Non-Repudiable
Accountable
Auditable
Traceable
Integrity-Assured
Assurable
Authorised
Governable
Business-Enabled
Protected
Independently Secure
Measured
Legacy-Sensitive
Migratable
Flexibly Secure
Productive
COTS / GOTS
Simple
Providing Investment Re-use
Supportable
Automated
Standards Compliant
Architecturally Open
Future-Proof
Capturing New Risks Multi-Sourced
Extendible
Maintainable
Consistent
Accurate
Current
Supported
Access-controlled
In our sole possession
Change-managed
Informed
Owned
Identified
Authenticated
Time-bound
Timely
Providing Good Stewardship and Custody
Assuring Honesty
Educated & Aware
Motivated
Recoverable
Duty Segregated
Detectable
Brand Enhancing
Competent
100%
75%
50%
25%
0%
Business Attributes
Management Attributes
User Attributes
Operational Attributes
Risk Management Attributes
Technical Strategy Attributes
Flexible / Adaptable
Scalable
Upgradeable Usable
Accessible
Cost-Effective
Efficient
Reliable
Inter-Operable
Trustworthy
Reputable
Business Strategy Attributes
Credible
Confident
Crime-Free
Insurable
Compliant
Confidential
Private
Controlled
Liability Managed
Admissible
Resolvable
Available
Legal / Regulatory Attributes
Enforceable Error-Free
Non-Repudiable
Accountable
Auditable
Traceable
Integrity-Assured
Assurable
Authorised
Governable
Business-Enabled
Protected
Independently Secure
Measured
Legacy-Sensitive
Migratable
Flexibly Secure
Productive
COTS / GOTS
Simple
Providing Investment Re-use
Supportable
Automated
Standards Compliant
Architecturally Open
Future-Proof
Capturing New Risks Multi-Sourced
Extendible
Maintainable
Consistent
Accurate
Current
Supported
Access-controlled
In our sole possession
Change-managed
Informed
Owned
Identified
Authenticated
Time-bound
Timely
Providing Good Stewardship and Custody
Assuring Honesty
Educated & Aware
Motivated
Recoverable
Duty Segregated
Detectable
Brand Enhancing
Competent
100%
75%
50%
25%
0%
People that make IT secure
Business requirements Business Attributes Control Areas Business Drivers
Linking business requirements to controls…
“Being a top 2 player in the ???? market in ????”
Establish 50% market share growth over the next 5 years
Achieve Net Promoter Score (NPS) of >40%
Operations
IT
Process Quality
Portfolio Quality
Operations
IT
Internal Governance
Clarity of Customer Risk
Operational Excellence
Risk Managed
Funding Costs
Operational Efficiency
Customer Satisfaction
Cost Efficiency
People that make IT secure
What Project 1426 delivered…
Traceability: • Visible justification of controls based
on business case • Visible demonstration of completeness
of control set
Transparent business driven process: • Repeatable • Consistent • Objective • Auditable
Risk reporting (current status and forecasting): • Based on business defined security
performance goals by risk owners • Reports risks of missing performance
targets • Dashboard / scorecard compatibility • Granular drill-down from aggregated
scores • Real-time objective measurement
feeds • Forecasting by tracking trends
People that make IT secure
For a successful security solution we need:
» Traceability: • Visible justification of controls based on
business case • Visible demonstration of completeness of
control set
» Transparent business driven process: • Repeatable • Consistent • Objective • Auditable
» Risk reporting (current status and forecasting): • Based on business defined security
performance goals by risk owners • Reports risks of missing performance targets • Dashboard / scorecard compatibility • Granular drill-down from aggregated scores • Real-time objective measurement feeds • Forecasting by tracking trends
People that make IT secure
Why SABSA?
» Setting the scene…
» SABSA: • Case study: Paul Kocher • Case study: Project 1426 • Case study: AEC
» Key messages…
People that make IT secure
Case study: Australian Electoral Commission… …taking the risk out of electronic voting
Case study: Australian Electoral Commission… …AEC attributes taxonomy
Impartiality Integrity Respect Service Transparency
Electors Candidates Scrutineers
Media
Senior Management
Operations Staff
Sta
kehold
ers
Core Values
Secrecy of the Vote
Confidence & Perception
Privacy Accessibility & Deliberation
Timeliness of the Result
Transparency
Reputation Compliance Governability
Equity
Financial Viability
Auditability
Accuracy
Anonymity
Authentication
Integrity
Verifiability
Availability
Reliability
Future & Legacy Sensitivity
Modularity
People that make IT secure
Case study: Australian Electoral Commission… …in support of business mission
» SABSA attributes-driven risk management database
» Periodic and real-time information
» Acceptable impact metrics / performance targets set for each asset
» Used for vendor evaluation
» Mandated for all IT Projects
» Multi-use by wide variety of stakeholders
People that make IT secure
For a successful security solution we need:
» A framework that can be uniquely tailored to the organisation’s needs • Not requiring the organisation to adapt to
the framework
People that make IT secure
Why SABSA?
» Setting the scene…
» SABSA: • Case study: Paul Kocher • Case study: Project 1426 • Case study: AEC
» Key messages…
People that make IT secure
For a successful security solution we need:
» An holistic approach…
» Traceability: • Visible justification of controls based on business case • Visible demonstration of completeness of control set
» Transparent business driven process: • Repeatable • Consistent • Objective • Auditable
» Risk reporting (current status and forecasting): • Based on business defined security performance goals by
risk owners • Reports risks of missing performance targets • Dashboard / scorecard compatibility • Granular drill-down from aggregated scores • Real-time objective measurement feeds • Forecasting by tracking trends
» A framework that can be uniquely tailored to the organisation’s needs
• Not requiring the organisation to adapt to the framework
People that make IT secure
IT security: an holistic approach…
» IT security is always a (supporting) part of an overall security policy
» There is no such thing as an “absolutely secure” IT system
» The most secure IT system is one that is switched off • But even that is NOT secure
» The challenge is to ensure appropriate security with maximum convenience
People that make IT secure
To manage complexity (with an holistic approach)… …a security framework is required
» SABSA doesn’t replace: • ASL • BiSL • CobiT • IAF • ITIL • Prince2 • TOGAF • etc.
» SABSA is a complete security framework that compliments existing frameworks: • Allowing all aspects of security to
be implemented and managed
People that make IT secure
SABSA will help you… …not knowingly take significant (and unnecessary) risks
People that make IT secure
SABSA will help you… …exploit available ‘intelligence’
Ensign Johnson suddenly comes to the alarming realisation that he is the only red-shirt in the landing party.
People that make IT secure
SABSA will help you… …deal with things that go wrong that should never go wrong
People that make IT secure
SABSA will help you… …adapt your procedures dynamically as the situation demands
Come on! Jump! It can‘t go wrong every 0me...
People that make IT secure
SABSA will help you… …reduce your security budget and increase its effectiveness
People that make IT secure
Thank You Ideas to Interconnect BV (i-to-i), Radex Building, Kluyverweg 2a, 2629 HT Delft, The Netherlands.
Ideas to Interconnect BV (i-to-i), De Boerderij, Nijendal 18, 3972 KC Driebergen-Rijsenburg, The Netherlands.
Tel: +31-15-2682513 Fax: +31-15-2682521
Website: http://www.i-to-i.nl
KvK registration: 27187207
We have got what IT takes
Top Related