Presentation on theme: "Supporting Supplier Security Compliance Ian Lawden."— Presentation transcript:
Supporting Supplier Security Compliance Ian Lawden
Security Operations Management Context Over 20 Million Customers. 5.9 million working age benefit claimants. 479 thousand people claiming Employment and Support million working age claimants of ESA and incapacity benefits. 692 thousand lone parents claiming Income Support (IS) million people claiming Housing Benefit, with 5.78 million claiming Council Tax Benefit million people of state pension age claiming a DWP benefit million claimants of State Pension (SP) 3.68 million people had started on a New Deal programme up to (May 2010). 2 All figures accurate at February 2010 unless otherwise stated
Security Operations Management Organisation 3 Ministers prioritise customer need/outcome Client Groups Local Authorities Private and Voluntary Sector providers Jobcentre Plus The Pension Disability and Carers Service Pension Protection Fund Personal Accounts Delivery Authority Health & Safety Executive Child Maintenance and Enforcement Commission Customer need/outcome met IT Finance Change Programme Communications Commercial Legal Human Resources Policy and Commissioning Function Delivery Corporate Functions May 2009
Security Operations Management Organisation Vision – Recognition of need for IA 4 Vision To deliver the IT Service for Citizens that will make a positive difference to their lives. Mission achieved by: Constantly looking for ways in which our IT systems and services can improve our service to our customers, while recognising also the absolute need to safeguard and keep secure the data which we hold on them; Listening to, understanding and responding to the IT needs of our people and our customers; Strengthening working relationships with the businesses and our suppliers to improve performance and deliver added value across all our IT systems and services; Innovating across organisational boundaries to provide a fast, efficient and seamless service, helping to deliver both the Departments Business Strategy and the Governments Transformational Government Strategy; Exploiting new technology to deliver solutions which are both sustainable and accessible to all; Growing the capability of our people by underpinning all our activity with professional competence, enhanced through training, research and reference to best practice; and Participating and acting with integrity in a manner that demonstrates the Departments values and upholds its reputation.
Security Operations Management Corporate Framework supported by Best Practice 5 ITIL Service Management Process Service SupportService Delivery Incident Management Problem Management Change Management Release Management Configuration Management Service Level Management Financial Management Capacity Management IT Continuity Management Availability Management
Security Operations Management ITIL & Security ITIL (v2) based: - The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL Security Management is based on the code of practice for information security management now known as ISO/IEC A basic goal of Security Management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability. [There is] Mounting pressure for many organizations to structure their Information Security Management Systems in accordance with ISO/IEC this requires revision of the ITIL v2 Security Management volume, and indeed a v3 release is in the works. [now in place]. 6 Courtesy of Wikipedia
Security Operations Management Contention? Incident Management: User up and running quickly Problem Management RCA and Correct Change Management Standard Methods and Procedures Release Management Holistic View and forward plan Config Management Strong asset control 7 Security Management Preserve Evidence for Forensic Investigation Security Management Synergy Security Management Threat Identification and Emergency response Security Management Focus on Vulnerability reduction/removal Security Management Synergy Service Support
Security Operations Management Contention? Service Level Mgmt: Agree, monitor, report Financial Management Supports business Objectives Capacity Management Demand Management for business objectives IT Conty Management Recovery within agreed timescales Availability Management Customer satisfaction equates to up time 8 Security Management Synergy Security Management Security not seen as business objective Security Management Security not seen as a business objective. Security Management Preserve Evidence for Forensic Investigation Security Management System availability for maintenance (patching) Service Delivery
Security Operations Management 9 Accountability & Outsourcing – the owner of the data is still expected to respond to and resolve problems … Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people. Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The Conservatives described the incident as a "catastrophic" failure. UK Families put on Fraud Alert
Security Operations Management 10 Media and Public Interest – still a newsworthy subject Details of data all security breaches Whether personal information is on contractor disks Details of the contractor who mislaid disks etc Details of breaches of citizens' personal details USB Flash etc drives lost in previous 12 months Various lost laptops, PDAs, mobiles, blocked internet sites, staff disciplined, USBs, and iPods. Number of laptops and memory sticks lost or stolen in last 5 years Various questions relating to IT security training Lost broken devices, deletion processes, and other issues Information relating to the theft and loss of DWP laptops and mobile over the last two years
Security Operations Management 11 Organising your security relationships and structure
Security Operations Management 12 High Level Roles Business Retained Service Integration and Management Consumers of Security Services Policy & Operations Outsourced SIaM Security Professionalism Client Integrator Integration Supplier Supplier (Tower Security Capability) Supplier Other Performing Suppliers NetworkSIaMDesktop Application Development App. Support & maintenance Hosting Other services May be supported by Security Experts, e.g. Vistorm Security Roles Tower (service) Service Tower Provider
Security Operations Management 13 HMG IT Security (phase 2) Certification – need for professionalism across the operating model Speaking a common and professional language CA certified security administrator Certified Ethical Hacker Management of Risk ITPC Certified penetration testing specialist NICE (Network Intelligence Certified Engineer) Sun certified systems administrator MCSE MCSA WiFi Networks Certified Professional HMG IT Security (phase 1) MCSE Security MCSA Messaging SCNS (Tactical Perimeter Defence) CISM Checkpoint certified security administrator CLAS ISO27001 CISSP MCTS IT Forensics ITIL CISA ISO9001
Security Operations Management 14 Design Support Strategic Support Design & Build IT Security Architecture Enterprise architecture Security strategy Innovation Horizon scanning Cross government IT Security Design Security Design Authority Pattern / product selection Bus lead for security incidents Architectural compliance Advice / guidance AD design Knowledge management IT Security Operations Management Supplier Assurance Compliance Assurance Risk Management Security Incident Management Audit Programme Security Reporting Accreditation Aftercare Operate Vision & Strategy Project Requirements Security Capability Value Chain <<< Feedback & Influence
Security Operations Management 15 Roles and Responsibilities – Outsourced Supplier Management Capability Coordination of security activities across supplier community Risk management services A security incident logging, investigation and management service Security assurance & accreditation management Security audit & compliance reviews Security policy & awareness services Threat & vulnerability response services Security service management and reporting. Provide:
Security Operations Management 16 Internal IT Security Operations Management role: Provide assurance that Service Tower providers and SIaM are compliant to security policies Monitor supplier performance in relation to their security obligations Management of necessary cross supplier and business processes (Security Waivers and Exceptions) Provide IT security guidance to internal operational staff and IT Support staff Production and approval of security bulletins and notices Progressing business IT security issues Act as centre of excellence with SIaM on all operational IT security matters Roles and Responsibilities – Retained Capability – Managing the Manager
Security Operations Management Functions Supplier Assurance Compliance Assurance Risk Management & Audit Security Incident Management Security Reporting Accreditation Aftercare 17 I've a horrible feeling I'm under surveillance. I've been looking at Google Street View and the same van has been outside my house for days now.
Supplier Networks Desktop Data CentreMaintenanceDevelopment Performance Review Performance Review Performance Review Performance Review Performance Review Performance ManagementDashboard S u p p l i e r P e r f o r m a n c e I n d e x Desktop
Security Operations Management Establishing and identifying Compliance Controls: The Service Integrator and Manager Perspective 19Complete Information Security There must be an overarching information security framework: The lack of such a framework, aligned with strategic business objectives, leads to a disjoint in delivery priorities, & the possibility for over-developed or inappropriate security control For Government Departments, in addition to ensuring compliance with HMG security requirements, adoption of such a framework: improves engagement with both IT & non-IT supplier organisations, who generally state compliance or certification against ISO27001 & who therefore understand the requirements of it, simplifies future development & implementation of delivery solutions & services through effective, pragmatic security risk management, enables the updating of security policy & guidance in response to changing threats and business needs, improves communication with those responsible for implementing security controls more efficiently.
Security Operations Management Policing Compliance Controls The Service Integrator and Manager Perspective 20Complete Information Security Automated v Manual ControlProsCons Automated/ Technology Consistency of analysis Speed of applying rules and measures Reduces error rate Enhanced data mining/analysis/correlation capability 24/7/365 high availability operation Can enforce compliance Cost of base lining rules and measures Critical dependence on hardware/software Interoperability of products Can introduce vulnerabilities Training Vendor enthusiasm to act as a VAR rather than a true security solution provider Manual/ Process Understanding of problems and coping with variance/idiosyncrasies Can provide for cost savings Capable of analysing the situation to manage business reputation Thinking outside the box Understanding the implications of decisions Dependencies on specific resource Costly for 24/7/365 manual operations Compliance not enforced Manual information management Potential for increased error
Security Operations Management Risk Management & Audit 21 Implement or aim for a consistent approach across all suppliers. Ensure that Risk Management is seen as a basis for all decisions by including reference in meetings and forums and workshops, Tie Audits into the Risk Management process Ensure that risks are articulated in simple but specific language and at not too high a level & that the risk is real – and the mitigation is proportionate and effective! Regularly and formally review Risk Management processes and procedures ensuring holistic approach across organisation. Why did the chicken cross the road? It was trying to get a signal on its iPhone 4.
Security Operations Management Incident Management & Reporting Awareness is key including consistency across staff and suppliers... Share Messages, 22
Security Operations Management IT Security Reporting Showing Value by reporting reduced Vulnerability 23 Top of the Office IT Security Awareness Supplier Performance Systems Defence Risk Management Capability Greater IT Security Awareness Increased Supplier Performance (or reduced non-compliance) Hardened, bolstered and tested Systems Defence Proportionate, Holistic and Effective Risk Management Capability that matches the challenge Outcome Impact Activity Overarching Security Service Improvement Programme
Security Operations Management Accreditation Aftercare Monitor accreditation activity and Accreditation after care, ensuring systems are used within the Accreditation scope, and that changes are notified where appropriate. (Problem Management?) In particular assurance that the Accreditations for infrastructure services are up to date and that all necessary activities are under control. (Service Level Management). Identify DWP information systems (Configuration Management?) and ensure Accreditation procedures are adhered to. (Supported by Audit) 24 Is it just me, or would you kill for the kind of download speed that girl from the piracy ad's is getting?
Security Operations Management 25 Persistent Internal Challenges and Opportunities Need to identify and maintain relationship with business IT Security Stakeholders (Single Points of Contact) Diverse business scenarios within large organisations (one size may not fit all): o Multiple locations, o Differing operating models, o Inconsistency in IT Security Expertise o Accountabilities unclear. Internal Identity and Access Management - Local Installer Rights and Privilege users detracting from defence in depth strategy: o End User Computing o Definition! o Demands for local or flexible storage of data, o Use of unapproved tools and techniques and inappropriate developments, o Lack of expertise in using standard tools, o Introduction of unauthorised software, o Introduction of unauthorised devices, o Use of ready to go Internet services. User Awareness: - o Phishing Attacks, o Spam, o Social Engineering Drive to provide access to Social Networking My mate Sid was a victim of ID theft - He's just called S now.
Security Operations Management 26 Privilege users in the supplier community: - Local, Off Shore Remote Access Provisioning and De-provisioning (Identity and Access Management), Flexibility and Agility versus control and stability, Economic climate – continuity of supply, Evidencing Independence, Commercials and integrating compliance, Suppliers collaboration (or lack of it), Patching and maintenance against availability and risk, Enforcing standard Change Control, Its all about the contract! Just found an absolute bargain on EBay - Some bloke in Nigeria is selling army dog tags inscribed with your name, national insurance number, bank account and sort code details free of charge. Get in there quick! Persistent Supply Chain Challenges and Opportunities
Security Operations Management 27 Successes and Advantages Access to Thought Leadership, Innovation and Industry Research, Ability to resource fluctuations in demand (e.g. Accreditation & related activities) Ability to identify cross-supplier trends and issues (IAM for example) Application of Industry Standards and techniques (Patch Management), Ability to manage large amounts of security compliance information from across suppliers operational processes and technology, and drive cost effective continuous improvement (e.g. roadmap, incident management processes) Independent, integrated view of operational security risk Fixed price service measured via SLAs – driven down security resourcing costs
Security Operations Management 28 Key Messages Recognise that suppliers are in existence to make a profit and, therefore, ensure that you (and your supplier) understand what your priorities are and who is accountable, - does your desire to protect your business align with the suppliers business plan? Continually stress and demonstrate by actions and deeds that, where you have outsourced the management of suppliers, the integrator is your agent and is acting on your behalf – they must be afforded the same access and cooperation as you yourself, Collaborate with your supplier in establishing and refining process definitions with clear hand off points, Understand the end to end supply chain to flush out any unexpected and potentially unpalatable elements (such as off shore activity), Ensure communications are consistent across all suppliers - and this is another opportunity to emphasise the support for your supplier, Ensure that security clauses in IT contracts mandate your suppliers to cooperate with your integrator, Where possible, ensure consistent methodologies for risk management, patching, etc, Ensure Availability and up time promises to the organisation are consistent with the need for essential (including unanticipated) system maintenance, Bake in compliance activity as well as technical security measures when developing systems. Dont panic or set hares running – things are not always as bad as they first appear – but, you can soon make them that bad (or worse) through inappropriate responses! I got a second this morning from a Nigerian bank offering me £10m if I give him my bank details. What luck! I'm going to be back in credit after the first one wiped me out!