Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard – CISA, CISSP October.

Similar presentations

Presentation on theme: "© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard – CISA, CISSP October."— Presentation transcript:

1 © 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard – CISA, CISSP October 3, 2002

2 | 2| 2 © 2002 Protiviti Inc. Securing your Corporate Infrastructure Management Dilemma — or — Technical Problem Security Awareness Corporate Governance Firewall DMZ Layered Defense Intrusion Detection Authentication Hacker Digital Signatures Denial of Service Policies & Procedures Anti-Virus Physical Security Non-Repudiation Internal Controls Integrity Vulnerability Testing Confidentiality Accountability Availability Device Hardening Litigation Access Controls Security Program Security Organization Risk Assessment Wireless VPN Privacy PKI Worms Tokens Cyber Terrorism ISO 17799 GLBA HIPAA

3 | 3| 3 © 2002 Protiviti Inc. Securing your Corporate Infrastructure Security is Complex! Traditional Obstacles –IT expenditure Only –Security is an event driven industry –Not same as other operational risks –Won’t happen to us!

4 | 4| 4 © 2002 Protiviti Inc. New Information Security Drivers 1.Significant Threats – 9/11/01 2.Recent Vulnerabilities – Code Red, Nimda 3.Increased Oversight – Enron, WorldCom

5 © 2002 Protiviti Inc. | 5| 5 Increased Oversight and Compliance

6 | 6| 6 © 2002 Protiviti Inc. Increased Oversight and Compliance GovernanceDateTypeIndustry 1.HIPPA8/1996Security & PrivacyHealthcare 2.GLB5/2000Security & PrivacyFinancial Services 3.IIA—NACD 2000Security Governance Corporations 4.GISRA6/2001Security StandardsGovernment 5.FERC7/2002Security StandardsEnergy 6.Sarbanes—Oxley 8/2002Internal controlsPublicly traded companies 7.NYSE & NASDAQ 8/2002Internal controlsPublicly traded companies 8.National Strategy9/2002Secure Cyberspace5 Levels, Corp & Gov

7 | 7| 7 © 2002 Protiviti Inc. Information Security Governance IIA—NACD: What Directors Need to Know Historically boards and senior management looked at Security as a tactical IT issue. But the IIA, in collaboration with the NACD, AICPA and ISACA have recently challenged this perspective with key governance questions*: 1.Accountability 2.Awareness 3.Ethics 4.Inclusion 5.Resource Allocation 6.Thoroughness 7.Effectiveness 8.Ongoing Assessment 9.Compliance 10.Information Sharing * Source: Information Security Governance: What Directors Need to Know. The Institute of Internal Auditors (IIA)

8 | 8| 8 © 2002 Protiviti Inc. Information Security Governance GISRAFERC—Standards for Electric Market Participants  Participants must have a basic Security Program covering governance, planning, prevention, operations, incident response, and business continuity.  Security standards for electric systems and physical security  These security standards shall become effective on January 1, 2004.  Failure to comply will result in loss of direct access to privileges to the electric market.  Senior management is responsible for the Security Program

9 | 9| 9 © 2002 Protiviti Inc. Internal Controls Sarbanes—Oxley  Requires CEO and CFO to file internal control report  Increases SEC oversight and penalties  CEO and CFO must certify quarterly or annual reports NYSE & NASDAQ  Corporate codes of conduct required  Internal audit function mandated  CEO certification required

10 | 10 © 2002 Protiviti Inc. Information Security Governance Questions corporate boards, financial analysts and investors should ask: 1.Who is responsible for IT security, and to whom is he/she directly accountable? 2.Do the CEO and COO review IT security? 3.What internal IT security policies exist? 4.Are the security controls sufficient? Recommendations:  Enterprise-wide corporate security councils  Regular independent IT security audits  Chief Information Security Officer (CISO)  IT continuity plans regularly reviewed The National Strategy to Secure Cyberspace

11 © 2002 Protiviti Inc. | 11 Securing your Corporate Infrastructure What is really needed to keep your assets protected?

12 | 12 © 2002 Protiviti Inc. Develop Security Program There are three goals for Security within an organization:  Confidentiality  Integrity  Availability These goals can be met with: Proper governance A Security Program

13 | 13 © 2002 Protiviti Inc. Develop Security Program Security Lifecycle Use the Security Lifecycle to ensure realistic and enforceable policies, and prioritize security objectives. –Security is a Process –Security requires a full enterprise perspective –The Security Lifecycle provides a framework –Security Policies, Standards, Procedures and Metrics form the core of a Security Program SNCi Guide to Lifecycle Security TM

14 | 14 © 2002 Protiviti Inc. Develop Security Program 1.Enlist Senior Management Support 2.Define Security Objectives 3.Create Security Strategy or Vision 4.Develop Tactical Security Program

15 | 15 © 2002 Protiviti Inc. Develop Security Program Senior Management Commitment –An acknowledgement of the importance of the computing resources to the business model –A statement of support for information security throughout the enterprise –A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines

16 | 16 © 2002 Protiviti Inc. Develop Security Program Security Strategy & Plan The model to the right lays the groundwork for designing, implementing and maintaining a comprehensive security framework.  The strategy and plan encompass People, Process and Technology  Builds consensus among each of the stakeholders  The elements of Knowledge Sharing, Best Practices, Metrics, Methodologies, and Skill Sets provide the groundwork for implementing a security framework. –The biggest issue is the lack of a comprehensive enterprise security strategy Best Practices Metrics/ MeasuresMethodology Sharing Strategy & Plan Skills Sets Technology Processes People

17 | 17 © 2002 Protiviti Inc. Develop Security Program Strategy  The strategy is a high-level statement that defines the targeted state of Information Security for the organization, and how the targeted state of security can be reached.  Must be specific to the organization Plan –Provides an overview of the security requirements and describes the controls –Delineates responsibilities and expected behavior of all individuals –Documents the structured process of planning adequate, cost-effective security protection for a system.

18 | 18 © 2002 Protiviti Inc. Develop Security Program People –Identify roles, responsibilities and accountability for all critical information assets –Determine whether it is appropriately staffed and whether the structure is appropriate for support of business objectives Process –Define, document, communicate and practice Security Management functions –Develop and standardize security policies Technology –Identify the technology the IT organization uses to protect access to its network resources –Identify the metrics to measure the performance of Security Management –Develop technical security standards –Identify additional security products and solutions

19 | 19 © 2002 Protiviti Inc. Develop Security Program Security Policies –Forms the basis or foundation for the security framework (i.e. people, process, technology) –Communicates management’s business intent and formulates consensus throughout the organization –Communicates to stakeholders that company management understands their duty –Choose a policy structure that is appropriate given your size and company culture –Delineate responsibilities and expected behavior of all individuals who access the organization’s systems. –Suggest ways to increase security policy awareness throughout the organization

20 | 20 © 2002 Protiviti Inc. Process - The human element in a security program Applications - The business software providing access to data Data Management - Backend databases housing data Platform - Operating systems and hardware supporting applications Network - Access to applications and network elements Physical - Access to facilities and physical elements Strategies and policies ensure that business risks are effectively managed and communicated to relevant parties Processes and controls should be in place to detect and respond to security alerts and events Technical architectures and solutions should be designed and operated to provide effective solutions to security threats Changes to the technical environment should not create weaknesses in the security architecture Develop Security Program Information Security Framework SM (ISF) Our approach to managing security risk uses Protiviti’s proprietary Information Security Framework SM (ISF). The framework is based on the simple concept of balance: that information security risk management techniques should create a balance between the cost and nature of controls implemented and the benefit of risks assessed and controlled.

21 © 2002 Protiviti Inc. | 21 Summary

22 | 22 © 2002 Protiviti Inc. Summary  Security is Complex!  Governance = Accountability  Security is a Process  Enlist Senior Management Support  Define Security Objectives  Create Security Strategy or Vision  Develop Tactical Security Program  People, Process and Technology  Security Policies and Awareness

23 © 2002 Protiviti Inc. | 23 Introducing Protiviti: Who we are We are a leading provider of completely independent business and technology risk consulting and internal audit services

24 | 24 © 2002 Protiviti Inc. Business facts  Protiviti has offices in 25 major U.S. markets, with more than 750 experienced professionals.  We specialize in helping clients identify, measure and manage operational and technology-related risks within their industries and throughout their systems and processes.  Our fields of specialization within Technology Risk Management include: –Security and Privacy –Business Systems Control and Effectiveness –disaster recovery / Disaster Recovery –Information Systems Testing –Reliability and Performance –IT Asset Management –Project Management –Change Management –IT Optimization We are a subsidiary of Robert Half International Inc., the world’s leading specialized staffing and consulting services firm, with 2001 revenues of $2.5 billion. Our parent company was named one of “America’s Most Admired Companies” by Fortune magazine for fourth straight year. Also, RHI has featured on Forbes Platinum 400 list of the best big companies in America, also for the fourth consecutive year.  For more information, visit our website at

25 | 25 © 2002 Protiviti Inc. Joseph Burkard, CISA, CISSP Background Joe is a Senior Manager in Protiviti’s Milwaukee office. He has over seven years experience in information technology, the last three with Andersen prior to Protiviti. He has been an IS security and risk consultant, network engineer and system administrator. He has developed security architecture and methodologies, performed numerous security related risk assessment audits and has managed system installation and application integration projects. He is a Certified Information Systems Auditor (CISA) and Certified Information Security Systems Professional (CISSP). Relevant Experience Information Security Project Risk Management IT Risk Assessment Infrastructure Management Internal and IS Audit Representative Clients Briggs & Stratton Commercial Federal Bank Kohler Lands’ End Manpower Newell-Rubbermaid PepsiAmericas Roundy’s SC Johnson Sprint United Health Group Certifications Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) Fellow, Life Management Institute (FLMI)

Download ppt "© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard – CISA, CISSP October."

Similar presentations

Ads by Google