7/29/2019 Does IT Security Matter v 2
1/21
Does IT Security Matter?
Dr. Luke OConnor
Group IT Risk
Zurich Financial Services, Switzerland
Faculty of Information Technology, QUT
November 27th, 2007
7/29/2019 Does IT Security Matter v 2
2/21
2
Outline
A bit about Zurich and myself
Nicholas Carr and knowing your neighbours
Security Tectonics
The Explanation is Mightier than the Action
Risk and the New Math
Final Grains of Wisdom
7/29/2019 Does IT Security Matter v 2
3/21
3
Introduction to Zurich
Offices in North America and Europe as well as in Asia
Pacific, Latin America and other markets
Servicing capabilities to manage programs with risk
exposure in more
than 170 countries
Approximately 58,000 employees worldwide
Insurer of the majority of Fortunes Global 100
companies
Net income attributable to shareholders of USD 4.5
billionin 2006
Business operating profit of USD 5.9 billion in 2006
7/29/2019 Does IT Security Matter v 2
4/21
4
My Background
Industrial Research (6 yr)
What people might want
Consulting (5 yr)
What people say they want
In house (2 yr)
What people expect
(Security) (Risk)
7/29/2019 Does IT Security Matter v 2
5/21
5
Service ProvidersZurich Business
G-IT Risk stakeholders
GITR
GSM
Investigations
Project risk management
Capabilities
Finance
GITAG
Process/QM
Sourcing
Audit
Compliance
Legal
Risk
Group functions
G-IT support functionsIndustry Bodies &
Suppliers
GITR Partner Focus
G-ISP
Consume
information and
Services
External functions
Business A
Supplier ABusiness B
Business C
Business x
Account Exec A
Account Exec B
Account Exec C
Account Exec x
Supplier B
Supplier x
Co-operate
Service risk management
Primary interface for G-IT
7/29/2019 Does IT Security Matter v 2
6/21
6
Does IT Matter?
Carr, N, IT Doesnt Matter, Harvard Business Review, Vol 81, 5, May 2003Carr, N, Does IT Matter?, 2004
IT doesnt matter and cant bring strategicadvantage at present!
Spend less Follow, don't lead Focus on vulnerabilities, not on opportunities
IT management should become boring
Manage risks and costs
7/29/2019 Does IT Security Matter v 2
7/21
7
Good Neighbours, but Good Friends?
Business
IT
Department
IT
Security
Business see IT as
something technical
IT Departments see
IT Security as
something technical
There is a dependency but
not a strategic relationship
There is a dependency but
not a strategic relationship
7/29/2019 Does IT Security Matter v 2
8/21
8
The Continental Drift of C, I, ACIA better known to business as Call in Accenture
Security
Confidentiality Integrity Availability
SSL
VPN
SSL VPN
Database Encryption
Hard Disk Encryption
Data In Flight
Data at Rest
Data Retention
Data Leakage
Data Breach
Data Privacy
Cross Border Data Flow
Hashing & Checksums
Digital Signatures
Authentication
Access Control
Logging
One person, one ID
Rapid and flexible
provisioning and
deprovisioning of rights
Role Based Access Control
Anti-Virus
Firewalls
Anti-Spyware
DOS
ID Management
Financial Process Integrity
Backup & Restore
RAID, Clustering Hot Swapping
Incident Response
Business Continuity
Disaster Recovery
TECHNICAL
CONCEPTUAL
ARCHITECTURAL
PROCESS
BUSINESS
7/29/2019 Does IT Security Matter v 2
9/21
9
The Explanation is Mightier Than the Action
7/29/2019 Does IT Security Matter v 2
10/21
10
Security Bingo
7/29/2019 Does IT Security Matter v 2
11/21
11
Notable Security Setbacks
Regulatory Frameworks over Security Frameworks (SOX over 7799)
Excel over FUD (Fear, Uncertainty and Doubt)
Reactive over Proactive
SLAs over Security Program
Commerical over Military
7/29/2019 Does IT Security Matter v 2
12/21
12
The New-ish Security ModelFrom Castle to Airport
Castle Airport
Security mechanisms are static and difficult to
change.
Security mechanisms are dynamic and responsive to
threats.
Reliance on a few mechanisms. Castle walls are
impregnable. Once inside security mechanisms are
minimal.
Uses multiple overlapping technologies for defencein depth.
Known community have unrestricted access within
security boundary.
Security must be maintained whilst an unknown
population traverse. Security of inclusion (ensuring
the right people have access to the right resources)
and Security of exclusion (ensuring that assets are
protected). Use of roles to determine security
requirements.
Silo mentality in organisation. Requires an open, co-ordinated, global approach to
security.
7/29/2019 Does IT Security Matter v 2
13/21
13
The next Big Thing: Network Access Control (NAC)How do you sell this to your IT Department or Business?
Remote Access DMZ
Quarantine
Network
Trusted Network
Firewall
ClusterFirewall
Cluster
VPN
Concentrator
Trusted VLANs
Access to a restricted
set of web applications
based on user role
Access to a restricted VLAN
based on user role
IDS Sensor
Network Access
Control Server
Platform
Configuration
Server
Quarantine
Server
DMZ Network
AAA Server
IDS Sensor
7/29/2019 Does IT Security Matter v 2
14/21
14
From Security .
Objectives Controls Testing Report
ISO 17799
ISF Cobit
NIST
Your Policies
and Standards
etc
ISO 17799
ISF Cobit
NIST
Your Service
Catalogue
etc
Documentation
Questionnaires Interviews
Demonstrations
Inspections
Tooling
3rd Party Analysis
Control
Effectiveness Compliance
Risk
Mitigation
Priorities
Perceived Desired Reality The Plan
7/29/2019 Does IT Security Matter v 2
15/21
15
to Risk
Description Trigger Consequence
What could happen? How could it happen? What is the impact?
Probability Severity
How often? How bad?
http://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Imprisoned.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Safetynet.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Problem.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Hot_Water.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Medrisco.GIF7/29/2019 Does IT Security Matter v 2
16/21
16
Controls as Risk (as is)
Control C2Needs Improvement
Not Effective
Effective
Control
Objective
Risk?
Risk?
Risk?
Control Assessment
Risk Scenarios are
reformulations
of control deficiencies (gaps)
Control C4
Control C3
Control C1
e.g. CoBIT,
C
2C
3
C
4
C
1
NO !
Control
Gaps are
potential
triggers of
Risk
7/29/2019 Does IT Security Matter v 2
17/21
17
IT Risk Components
IT Risk Components
IT Projects Risk
Financial & Resources Compliance & Audit
Contract & Supplier Mgmt
IT Architecture & Strategy
IT Project Management Risks
Facilities & Environment
IT Operations & Support
Time to DeliverIT Security
IT Services Risk
Service Level Management
Capacity Planning
Contingency Planning
Availability Management
Cost Management
Configuration Management
Problem Management
Change Management Help Desk
Software Control & Distribution
IT Security
7/29/2019 Does IT Security Matter v 2
18/21
18
Zurichs IT Risk Management Framework
Below threshold
Above threshold
The ABC (Assessment of
Business Criticality) risk
analysis prioritizes
resources
Object to be
assessed
ABC1
Optimised risk analysis
for projects
Project
Project Risk Tool
Risk assessment
Within PMO process
2
Risk register provides
single global data
store for analysis
reporting Group IT - RiskRegister (Central)
4
Project Risk Consulting Services Risk Consulting
IT Security Risk Assessments
Service
Service Risk Tool
Facilitated Assessments
and Self-Assessments
3Optimised risk analysis
for services
Group ITRisk Reporting
DashboardActions
monitoringQRR5
Reporting,
Escalation andAction Monitoring
1
2 3
4
5
No further Analysis
Apply Policies
and Standards
7/29/2019 Does IT Security Matter v 2
19/21
19
Relation to Operational Risk
IT Project Risk
Assessments
IT Service Risk
Assessment s
opRisk QRA opRisk KRIs opRisk LEDCollection
IT Risk Incident
Management
opRisk M odeling and
QuantificationCommon Risk Repository
opRisk
Reporting
IT Risk
Reporting
Comm
onITInfrastructure
Other Sources:
ICF, TRP, ...
Awareness,
Well Informed Decision M aking,
Incentives, Performance Measurement
Capital Allocation
opRisk
Process
IT Risk
Process
Joint
Effort
Data
Flow
Input
Other
Process
7/29/2019 Does IT Security Matter v 2
20/21
20
Conclusion: Does IT Security Matter?
IT Security in general is not an end in itself
IT Security is one area competing for attention and funding, amongst many
If you dont make IT security matter, it wont
Keeping business secure is the main end
Focus on securing business processes not the process of securing
Excel is your new best friend
Make your spreadsheets work with their spreadsheets
A risk-based approach is the opportunity to speak business language
Dont replace FUD with GIGO (garbage in, garbage out)
7/29/2019 Does IT Security Matter v 2
21/21
21
Over to you
Top Related