1. Bucharest, Romania October 2006 The World is Changing and so is Information Assurance Management This document is confidential and is intended solely for the use and information of the client to whom it is addressed.

2. 1 What is Information Assurance (IA)? IA is fundamentally all about ensuring the Confidentiality, Integrity and Availability of assets (e.g., information systems, infrastructure, and data) Specifically:  Information Assurance (IA) is a subset of Information Operations (IO). IA are actions that protect and defend information assets and information systems / infrastructures by ensuring availability, integrity, authentication, confidentiality, and non-repudiation  This includes resilience, providing for restoration of information systems by incorporating protection, detection, and reaction capabilities  Source: U.S. Dept. of Defense, Joint Staff, Joint Publication 3-13 Information Operations The Security Life Cycle applies to systems from program initiation through disposal, as well as the enterprise management activities of policy, strategy, and program development, training, and risk management.  Risk Assessment  Security Requirements  Security Budgeting  Information  Media Sanitization  Sensitivity Assessment  Back-ups  Awareness and Training  Access Control  Plan Updates  Audit & Monitor  Key Management  Security Features Enabled  Test and Evaluation  Technology Research  Product Evaluations  Automation Support  Training  IA Standards Support  DISA SRR/STG  Quality Assurance  Configuration Management  Risk Management  Defense in Depth  GIG / NCES  CDS  NSTISSP #11  Common Criteria  IATF / DoDAF / ISO 17799 / COSO / CobiT  DCID 6/3 DITSCAP / NIACAP  FISMA / HSPD-12 / NIST / HIPPA / SOX  Infrastructure / PKI / PKE Guiding Processes and Technology Ongoing Support Services  Installation  Certification & Accreditation Security 101

3. 2 Organizations are living in an evolving world full of diverse pressures  Technology enables business to deliver a greater variety and quality of services  Existing technology improves  New technology offers new business capabilities  Enterprises conduct business in different economic systems, jurisdictions. and legal systems  Employees are separated by distance and time  Operations have to adjust to local infrastructures  Western countries are experiencing engineering skills shortage  Other countries can provide qualified staff in a more cost- effective manner  Changing technology introduces new vulnerabilities  New technology introduces new classes of vulnerabilities  Enterprises conduct business in different economic systems, jurisdictions. and legal systems  Employees are separated by distance and time  Operations have to adjust to local infrastructures  Multicultural workforce think and communicate differently  Diverse cultural assumptions and loyalties increase complexity of managing a global enterprise DriversImplications How do these apply to your situation? Technology Globalization Human Capital Business Drivers Technology Globalization Human Capital Regulations Standards Frameworks Convergence Outsourcing Governance Trends Business Environment Macro Trends Information Assets Industry Trends

4. 3 Governments and industry responded to these business drivers with regulation and proliferation of standards and frameworks Regulatory Compliance, Frameworks, and Standards Drivers  Basel II  Sarbanes Oxley Act  Health Insurance Portability and Accountability Act (HIPAA)  OECD Guidelines  Energy Policy Act of 2005  ISO/IEC 17799 and 27000 series  NIST FISMA Standards and Guidance  ISO/IEC 21827, System Security Engineering Capability Maturity Model  Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework  Control Objectives for Information and related Technology (CobiT ®)  IT Infrastructure Library (ITIL)  Capability Maturity Model Integration (CMMI®)  Project Management Body of Knowledge PMBOK®)  Risk of non-compliance, including penalties, legal action, loss of customer confidence  Increased costs of compliance  Increased cost of multiple standard and frameworks compliance  Potential inconsistencies among implementation by organizational components  Confusion regarding applicability to individual environments  Provide consistency in audit processes  Allows for comparability between systems within an organization  Allows audit committees to more effectively plan and budget for reviews DriversImplications Regulations Standards Frameworks Technology Globalization Human Capital Regulations Standards Frameworks Convergence Outsourcing Governance Trends Industry Trends Business Environment Macro Trends Information Assets

5. 4 Industry is adjusting the way it does business to evolving macro and governance trends Industry Trends Globalization Human Capital Regulations Standards Frameworks Convergence Outsourcing Governance Trends Business Environment Macro Trends Information Assets  Availability of expertise located in other countries  Reduced costs of doing business  Leverage of already existing experience gained with other clients  Reduced need to keep multiple sets of experts in house  Reliance on a variety of data for decision making  Increase in volume of data  Reliance on infrastructure, people, and facilities to deliver data  The expanding enterprise  Value migration from physical to intangible and information- based assets  New protective technologies impact several functional areas  New compliance and regulatory regimes  Continuing pressure to reduce cost  Outsourcing reduces focus on controls  Performance measurement depends on the quality of SLA  Lack of clarity regarding organizational responsibility  Data confidentiality issues with large service providers working for multiple clients  Prioritization is driven by service provider vs. the customer  Loss of key corporate knowledge to outsourced staff Drivers Implications Outsourcing Information Assets Convergence Technology  Increasing complexity of what constitutes an asset  Increasing challenge identifying asset ownership  Challenges of prioritizing assets for protection  Shift to enterprise-based view  Need for new risk mitigation approaches Industry Trends

6. 5 Emerging business trends can no longer be addressed by applying current practices and processes Industry’s Leading Practices Technology Globalization Human Capital Regulations Standards Frameworks Convergence Outsourcing Governance Trends Industry Trends Business Environment Macro Trends Information Assets  Enterprise  People  Technology Assets and Infrastructure  Information and Data  Physical Plant  Resiliency Relationships  Service Delivery  Resiliency Sustainability Operational Resiliency Capabilities

7. 6 Technology Risks Technology and Information Risks Technology and Information-Related Business Risks Risk- Driven Building an enterprise security program based on a business risk- aligned approach will allow your organization to effectively manage risk Scope Evolution of Information Security Functions Stages of Evolution Past  Focus on risks in technology infrastructure  Agenda shaped by technology developments and security incidents Current  Scope broadened to include confidentiality, integrity and information assurance  Reactive business alignment, based on audit functions and regulatory compliance Desired  Information and technology risk integrated into overall risk umbrella  Risk-based techniques used to help business set agenda and accept residual risk 1 2 3 Event- driven Audit- Driven Approach Technology Focus 1 Compliance- Driven 2 Risk Management 3 Security can only be accomplished with a blend of technical and management solutions Industry’s Leading Practices

8. 7 Implications for Romanian Organizations Opportunities and Implications Product and Technical Services Vendors  Enterprises are increasingly willing to rely on outside IA and InfoSec vendors in strategic roles.  Some enterprises are actively looking for vendors from emerging markets that can provide new skills and mirror the cultural and geographic spread of their companies.  But, they will require that vendors sell and deliver services and products the context of risk management frameworks they understand and use. Government and Enterprises  Users will require that IA Systems and Policies make information not only secure but also available and trustworthy when and where needed.  It is important to segment users by Quality of Service requirements in order to maintain Security in all cases while delivering the needed Availability at the needed Cost.  The Risk Management model accepts that not all risks can be eliminated. It is important to accurately assess what risks are acceptable and to develop a communication and recovery strategy to deal with potential and actual breaches.