Presentation on theme: "Supporting Supplier Security Compliance Ian Lawden"— Presentation transcript:
1Supporting Supplier Security Compliance Ian Lawden
2Context Over 20 Million Customers. 5.9 million working age benefit claimants.479 thousand people claiming Employment and Support.2.61 million working age claimants of ESA and incapacity benefits.692 thousand lone parents claiming Income Support (IS).4.75 million people claiming Housing Benefit, with 5.78 million claiming Council Tax Benefit.12.7 million people of state pension age claiming a DWP benefit.12.5 million claimants of State Pension (SP)3.68 million people had started on a New Deal programme up to (May 2010).All figures accurate at February 2010 unless otherwise stated
3Policy and Commissioning Function OrganisationMinisters prioritise customer need/outcomeClient GroupsPolicy and Commissioning FunctionLocalAuthoritiesPrivate and Voluntary Sector providersJobcentre PlusThe Pension Disability and Carers ServicePension ProtectionFundPersonal AccountsDelivery AuthorityHealth & Safety ExecutiveChild Maintenance and Enforcement CommissionDeliveryCorporate FunctionsITFinanceChange ProgrammeCommunicationsCommercialLegalHuman ResourcesCustomer need/outcome metMay 2009
4Organisation Vision – Recognition of need for IA To deliver the IT Service for Citizens that will make a positive difference to their lives.Mission achieved by:Constantly looking for ways in which our IT systems and services can improve our service to our customers, while recognising also the absolute need to safeguard and keep secure the data which we hold on them;Listening to, understanding and responding to the IT needs of our people and our customers;Strengthening working relationships with the businesses and our suppliers to improve performance and deliver added value across all our IT systems and services;Innovating across organisational boundaries to provide a fast, efficient and seamless service, helping to deliver both the Department’s Business Strategy and the Government’s Transformational Government Strategy;Exploiting new technology to deliver solutions which are both sustainable and accessible to all;Growing the capability of our people by underpinning all our activity with professional competence, enhanced through training, research and reference to best practice; andParticipating and acting with integrity in a manner that demonstrates the Department’s values and upholds its reputation.
5Corporate Framework supported by Best Practice ITIL Service Management ProcessService SupportService DeliveryIncidentManagementService LevelManagementProblemManagementFinancialManagementChangeManagementCapacityManagementReleaseManagementIT ContinuityManagementConfigurationManagementAvailabilityManagement
6ITIL & SecurityITIL (v2) based: - “The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL Security Management is based on the code of practice for information security management now known as ISO/IEC A basic goal of Security Management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.” [There is] Mounting pressure for many organizations to structure their Information Security Management Systems in accordance with ISO/IEC this requires revision of the ITIL v2 Security Management volume, and indeed a v3 release is in the works. [now in place].Courtesy of Wikipedia
7Contention? Incident Management: Problem Management Change Management User up and running quicklyProblem ManagementRCA and CorrectChange ManagementStandard Methods and ProceduresRelease ManagementHolistic View and forward planConfig’ ManagementStrong asset controlSecurity ManagementPreserve Evidence for Forensic InvestigationSynergyThreat Identification and Emergency responseFocus on Vulnerability reduction/removalService Support
8Availability Management Security Management Contention?Service Level Mgmt:Agree, monitor, reportFinancial ManagementSupports business ObjectivesCapacity ManagementDemand Management for business objectivesIT Cont’y ManagementRecovery within agreed timescalesAvailability ManagementCustomer satisfaction equates to ‘up time’Security ManagementSynergy‘Security’ not seen as business objective‘Security’ not seen as a business objective.Preserve Evidence for Forensic InvestigationSystem availability for maintenance (patching)Service Delivery
9UK Families put on Fraud Alert Accountability & Outsourcing – the ‘owner’ of the data is still expected to respond to and resolve problems …UK Families put on Fraud Alert“Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing.”The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity".The Conservatives described the incident as a "catastrophic" failure.
10Media and Public Interest – still a newsworthy subject Details of data all security breachesWhether personal information is on contractor disksDetails of the contractor who mislaid disks etcDetails of breaches of citizens' personal detailsUSB Flash etc drives lost in previous 12 monthsVarious lost laptops, PDAs, mobiles, blocked internet sites, staff disciplined, USBs, and iPods.Number of laptops and memory sticks lost or stolen in last 5 yearsVarious questions relating to IT security trainingLost broken devices, deletion processes, and other issuesInformation relating to the theft and loss of DWP laptops and mobile over the last two years1010
11Organising your security relationships and structure
12High Level Roles Business Outsourced SIaM Security RolesBusinessConsumers of Security ServicesClient‘Retained’ Service Integration and Management’Policy & OperationsIntegratorIntegrationOutsourced SIaMSecurity ProfessionalismServiceTower ProviderSupplierSupplierSupplierSupplierSupplierSupplierPerformingSuppliersOtherSupplier (Tower Security Capability)May be supported by Security Experts, e.g. VistormTower(service)NetworkSIaMDesktopApplicationDevelopmentApp. Support &maintenanceHostingOther services
13Certification – need for professionalism across the operating model “Speaking a common and professional language”HMG IT Security (phase 1)CISMWiFi Networks Certified ProfessionalHMG IT Security (phase 2)CLASMCSA MessagingCheckpoint certified security administratorITPCISO27001Management of RiskISO9001MCTSCertified Ethical HackerNICE (Network Intelligence Certified Engineer)MCSAMCSE SecurityCA certified security administratorMCSESun certified systems administratorCISAITILCertified penetration testing specialistSCNS (Tactical Perimeter Defence)IT ForensicsCISSP
15Roles and Responsibilities – Outsourced Supplier Management Capability Provide:Coordination of security activities across supplier communityRisk management servicesA security incident logging, investigation and management serviceSecurity assurance & accreditation managementSecurity audit & compliance reviewsSecurity policy & awareness servicesThreat & vulnerability response servicesSecurity service management and reporting.
16Internal IT Security Operations Management role: Roles and Responsibilities – Retained Capability – Managing the ManagerInternal IT Security Operations Management role:Provide assurance that Service Tower providers and SIaM are compliant to security policiesMonitor supplier performance in relation to their security obligationsManagement of necessary cross supplier and business processes (Security Waivers and Exceptions)Provide IT security guidance to internal operational staff and IT Support staffProduction and approval of security bulletins and noticesProgressing business IT security issuesAct as centre of excellence with SIaM on all operational IT security matters
17FunctionsSupplier Assurance Compliance Assurance Risk Management & Audit Security Incident Management Security Reporting Accreditation AftercareI've a horrible feeling I'm under surveillance.I've been looking at Google Street View and the same van has been outside my house for days now.
18S u p p l i e r P e r f o r m a n c e I n d e x Performance ManagementDashboardS u p p l i e r P e r f o r m a n c e I n d e xDesktopPerformanceReviewPerformanceReviewPerformanceReviewPerformanceReviewPerformanceReviewNetworksDesktopData CentreMaintenanceDevelopmentSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplierSupplier18
19Complete Information Security Establishing and identifying Compliance Controls: The Service Integrator and Manager PerspectiveThere must be an overarching information security framework:The lack of such a framework, aligned with strategic business objectives, leads to a disjoint in delivery priorities, & the possibility for over-developed or inappropriate security controlFor Government Departments, in addition to ensuring compliance with HMG security requirements, adoption of such a framework:improves engagement with both IT & non-IT supplier organisations, who generally state compliance or certification against ISO27001 & who therefore understand the requirements of it,simplifies future development & implementation of delivery solutions & services through effective, pragmatic security risk management,enables the updating of security policy & guidance in response to changing threats and business needs,improves communication with those responsible for implementing security controls more efficiently.Heading - Calibri - 28pt - no bold - BlueSub Heading - Calibri - 22pt - no bold - RedBody Text - Calibri - 18pt - no bold - BlueCatchline - Calibri - 20pt - Italics - no bold - BlueComplete Information Security19
20Complete Information Security Policing Compliance Controls The Service Integrator and Manager PerspectiveAutomated v ManualControlProsConsAutomated/TechnologyConsistency of analysisSpeed of applying rules and measuresReduces error rateEnhanced data mining/analysis/correlation capability24/7/365 high availability operationCan enforce complianceCost of base lining rules and measuresCritical dependence on hardware/softwareInteroperability of productsCan introduce vulnerabilitiesTrainingVendor enthusiasm to act as a VAR rather than a true security solution providerManual/ProcessUnderstanding of problems and coping with variance/idiosyncrasiesCan provide for cost savingsCapable of analysing the situation to manage business reputationThinking outside the boxUnderstanding the implications of decisionsDependencies on specific resourceCostly for 24/7/365 manual operationsCompliance not enforcedManual information managementPotential for increased errorHeading - Calibri - 28pt - no bold - BlueSub Heading - Calibri - 22pt - no bold - RedBody Text - Calibri - 18pt - no bold - BlueCatchline - Calibri - 20pt - Italics - no bold - BlueComplete Information Security20
21Risk Management & Audit Regularly and formally review Risk Management processes and procedures ensuring holistic approach across organisation.Implement or aim for a consistent approach across all suppliers.Ensure that Risk Management is seen as a basis for all decisions by including reference in meetings and forums and workshops,Tie Audits into the Risk Management processEnsure that risks are articulated in simple but specific language and at not too high a level & that the risk is real – and the mitigation is proportionate and effective!Why did the chicken cross the road? It was trying to get a signal on its iPhone 4.
22Incident Management & Reporting Awareness is key including consistency across staff and suppliers ... Share Messages,
23IT Security Reporting Showing Value by reporting reduced Vulnerability Top of the OfficeOutcomeIT SecurityAwarenessSupplierPerformanceSystemsDefenceRiskManagementCapabilityImpactGreater IT Security AwarenessIncreased Supplier Performance (or reduced non-compliance)ActivityHardened, bolstered and tested Systems DefenceProportionate, Holistic and Effective Risk ManagementCapability that matches the challengeOverarching Security Service Improvement Programme
24Accreditation Aftercare Monitor accreditation activity and Accreditation after care, ensuring systems are used within the Accreditation scope, and that changes are notified where appropriate. (Problem Management?)In particular assurance that the Accreditations for infrastructure services are up to date and that all necessary activities are under control. (Service Level Management).Identify DWP information systems (Configuration Management?) and ensure Accreditation procedures are adhered to. (Supported by Audit)Is it just me, or would you kill for the kind of download speed that girl from the piracy ad's is getting?
25Persistent Internal Challenges and Opportunities Need to identify and maintain relationship with business IT Security Stakeholders(Single Points of Contact)Diverse business scenarios within large organisations (one size may not fit all):Multiple locations,Differing operating models,Inconsistency in IT Security ExpertiseAccountabilities unclear.Internal Identity and Access Management - Local Installer Rights and Privilege users detracting from ‘defence in depth’ strategy:End User ComputingDefinition!Demands for local or flexible storage of data,Use of unapproved tools and techniques and inappropriate developments,Lack of expertise in using standard tools,Introduction of unauthorised software,Introduction of unauthorised devices,Use of ‘ready to go’ Internet services.User Awareness: -Phishing Attacks,Spam,Social EngineeringDrive to provide access to Social NetworkingMy mate Sid was a victim of ID theft - He's just called ‘S’ now.
26Persistent Supply Chain Challenges and Opportunities Privilege users in the supplier community: -Local,Off ShoreRemote AccessProvisioning and De-provisioning (Identity and Access Management),Flexibility and Agility versus control and stability,Economic climate – continuity of supply,Evidencing Independence,Commercials and integrating compliance,Suppliers collaboration (or lack of it),Patching and maintenance against availability and risk,Enforcing standard Change Control,“It’s all about the contract!Just found an absolute bargain on EBay - Some bloke in Nigeria is selling army dog tags inscribed with your name, national insurance number, bank account and sort code details free of charge. Get in there quick!
27Successes and Advantages Access to Thought Leadership, Innovation and Industry Research,Ability to resource fluctuations in demand (e.g. Accreditation & related activities)Ability to identify cross-supplier trends and issues (IAM for example)Application of Industry Standards and techniques (Patch Management),Ability to manage large amounts of security compliance information from across suppliers operational processes and technology, and drive cost effective continuous improvement (e.g. roadmap, incident management processes)Independent, integrated view of operational security riskFixed price service measured via SLAs – driven down security resourcing costs2727
28Key MessagesRecognise that suppliers are in existence to make a profit and, therefore, ensure that you (and your supplier) understand what your priorities are and who is accountable, - does your desire to protect your business align with the suppliers business plan?Continually stress and demonstrate by actions and deeds that, where you have outsourced the management of suppliers, the ‘integrator’ is your agent and is acting on your behalf – they must be afforded the same access and cooperation as you yourself,Collaborate with your supplier in establishing and refining process definitions with clear ‘hand off’ points,Understand the end to end supply chain to flush out any ‘unexpected’ and potentially unpalatable elements (such as off shore activity),Ensure communications are consistent across all suppliers - and this is another opportunity to emphasise the support for your supplier,Ensure that security clauses in IT contracts mandate your suppliers to cooperate with your integrator,Where possible, ensure consistent methodologies for risk management, patching, etc,Ensure Availability and up time promises to the organisation are consistent with the need for essential (including unanticipated) system maintenance,Bake in compliance activity as well as technical security measures when developing systems.Don’t panic or set hares running – things are not always as bad as they first appear – but, you can soon make them that bad (or worse) through inappropriate responses!I got a second this morning from a Nigerian bank offering me £10m if I give him my bank details. What luck! I'm going to be back in credit after the first one wiped me out!