Presentation on theme: "Robert Garigue VP and Chief Information Security Officer"— Presentation transcript:
1Robert Garigue VP and Chief Information Security Officer Controlling Order and DisorderThe evolving role of the CISO withinthe new structures of Information Systems
2Outline of our expedition Background and Analysis FrameworksBusiness modelsThe nature of the threatsThe strategic information security frameworkEnvironmental factorsInformation security processesEvolution of information security functionsAlignment and Integration challengesEmerging new risks and concernsReflections on the nature and evolving role of the Chief Information Security OfficerTravels in a foreign land
3BMO Financial Group Founded in 1817 – First Canadian Bank Highly diversified financial institutionretail bankingwealth managementinvestment bankingAssets of $256 billion at October 31, 200334,000 employeesStrong presence in US Mid-West through Harris BankcorpOverseas offices around the worldWho is BMO Financial Group?
4Metrics of the Digital BMO 200+ Mainframes276+ Open System Business Critical ApplicationsDesktops2500 support servers6000 main network devices165 Terabytes of datastorage 50%+ a yearSeveral Million Transactions/sec
5Myths and Realities For some the world is a multidimensional place …and for other… it is still flat…There are always Myths and Realities.
6An evolving organizational context : Information Society Some of the New Realities:Information based productivityComputer mediated decisionsRise of the knowledge workerNetwork centric structures and value chainsCommand and Control hierarchies are displaced by Cooperative, Commutative and Coordinated organizations“a burden shared is a burden halved .. an intellectual asset shared is one doubled”
7The Integrated Informational Value-Chain LinkedComplementaryInterdependentFrom Goods or ServicesToGoods with Services
9The impact will be felt in the three realms of cyberspace PhysicalProcessContent
10The Evolution of the Noosphere (Teilhard de Chardin ) UbiquitousTrustedAffectiveAdvisoryAlways onSocialMain FrameClient ServerMobile and Peer to PeerOrganizations(command and control)Individuals(cooperation, coordination,and communication)focus
11It is full of Risk: These are the shape of “Things Now Dead”
12But there will always be conflict between Open systems and Closed systems…. Violent conflict … Pablo Picasso. Guernica Oil on canvas. Museo del Prado, Madrid, Spain
15Arguments For Getting Funding : Levels of Maturity of the Organization Fear, Uncertainty and Despair:“The Hackers, virus, will get us unless..”The Heard Mentality:“The king needs Taxes”…The Analytical ROI ?“Investment in Intrusion Prevention Systems are better than”…Arguments that have yet to come:“Because we can take on more business and manage more risks”(brakes enable cars can go faster)
16Information Security – Managing Expectations Sometimes it is just a communication issue…
17Consequence A: Information Security Officer as The Jester Sees a lotCan tell the king he has no clothesCan tell the king he really is uglyDoes not get killed by the kingNice to have around but…how much security improvement comes from this ?
18Consequence B: Information Security Officer as Road Kill Changes happened faster that he was able to moveDid not read the signsGood intentions went unfulfilledA brutal way to ending a promising careerSad to have around but…how much security improvement comes from this ?
19Maybe a better model for CISO: Charlemagne King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons ( ) - reunited much of Europe after the Dark Ages.He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.He relied on Counts, Margraves and Missi Domini to help him.Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.Missi Domini - Messengers of the King.
20Knowledge of “risky things” is of strategic value How to know today tomorrow’s unknown ?How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?This is the mandate of information security.
22Indicators and warnings External environment : the rates of evolutions 16 new malware products launched every day: viruses, worms, trojan horses, spyware etc7 new vulnerabilities discovered every day20 minutes guarantyProbes against Financial Institutions web sites launched every 6 secondsSocial engineering is on the rise: People are the weak linkHackersScript kiddiesIndustrial espionageCyber-terrorists,CompetitorsSuppliersHere is my pyramid to make sure you all feel this is valuable presentation This is how Technology and People can map some of our known components.
23Indicators and warnings : Threats and targets The McKinsey Quarterly, 2002 Number 2 Risk and resilienceDaniel F. Lohmeyer, Jim McCrory, and Sofya Pogreb
24Manufacturing exploits: The electronic Petrie Dish Malware : spyware + trojan + spam + exploits + social engineering
25Indicators and warnings How money was lost – Rough order of magnitude (ROM) Here is my pyramid to make sure you all feel this is valuable presentation This is how Technology and People can map some of our known components.Source: CFI/FBI Report 2003530 US based corporations, government and educ. inst.
27Hacking Beliefs Identity Theft One of the fastest growing crimes. Statistics Canada reports 13,359 cases, $21.5 million losses in 2003Account takeover (credit cards, bank accounts)Application fraud (open new accounts with victim’s ID)Industry needs improved identity management solutions and strong public awarenessPhishing (using scams to collect confidential information)Key issues: detection, shutting down bogus sites, customer awarenessBanks are posting warnings on their public sites, and updating security page information with “Q&A” type of information.
29Structuring Risks An Organizational Risk Categorization Taxonomy
30Structuring Risks Regulatory Environment: where are the controls ? PrivacyPersonal Information Protection and Electronic Documents Act (PIPEDA) - CanadaGramm-Leach-Bliley Financial Services Modernization Act (GLBA) - U.SCalifornia Law SB CaliforniaHIPPA (Health)Office of the Superintendent of Financial Institutions (OSFI) – Canada - Guideline B10The Financial Services Authority (FSA) – England - OS Section 4Federal Financial Institutions Examination Council (FFIEC) - U. S.Office of the Comptroller of the Currency (OCC) - U.S. OCCThe Bank Act - OSFI – Canada – Guidelines B6, B7, B10Federal Financial Institutions Examination Council (FFIEC) - U.S. SP-5 PolicySarbanes- Oxley Act (SOX) - U.S.Bill CanadaSEC Rule 17a-4Basel II AccordEuropean Union Directives on Information SecurityCanada’s National Security ProgramPatriot Act - USHere is my pyramid to make sure you all feel this is valuable presentation This is how Technology and People can map some of our known components.Security
31Regulatory Penalties & Fines Grid Name of Regulatory MandateSome Potential PenaltiesPotential FinesSOA20 years in prison$15 millionBasel IIRegulatory agency penalties: vary by G-20 countryRegulatory agency fines: vary by G-20 countryHIPAA10 years in prison$250,000GLBA$1 millionPatriot ActDodFailure to qualify for DoD contract; Contract breach; FAR penaltiesContract penaltiesCalifornia SB 1386Unfair trade practice law penalties: vary by statePrivate civil and class actions; unfair trade practice law fines: vary by stateSEC Rule 17a-4Suspension/expulsion$1 million+
32Emergent Behaviors: An Ecological View of Organizational Risk Organizational accumulated technical residual risk = Environmentprioritiescompliancereviewsresources+TechResidualRisksThe market Driversstandards+++audit--+-Governance bodiesInet, Ipt, ARB, etc+EducationawarenessThe information infrastructure-+outsourcingprojectsTechResidualRiskspractices+--+Riskmangt-ActiveInformationSecurityStrategythreatsNetworkSecurityCouncilLob RISKofficers---lawsIPCRCSANewTechnologyCapitalAtRisk-DataClassif.IdentitymangtAlertsCertificates-Vulner.AnalysisAccessmangtCryptopolicyescalations
33Information Security organization as result of the knowledge transfer process Transfer CyclePassiveReal timeHighComplexity/CapabilityOrganizationalLowVirtual Private NetworksFirewallsVirus ScannersIntrusion Detection MonitoringVulnerability AnalysisReal Time ResponseRole base identityAccess managementDigital RightsManagementSecurity FunctionsTechnical Threats
34Knowledge transfer The Knowledge Transfer Cycle 2 Security Functions BMOISCBAFI CIRT& otherBanksVendorsFIRSTProjectsPSECPCANCERTClientsandBusinesseswirelessInfo/infrastructureUtilitiesHealthTelecomPassiveReal timeHighComplexity/CapabilityOrganizationalLowVirtual Private NetworksFirewallsVirus ScannersIntrusion Detection MonitoringVulnerability AnalysisReal Time ResponseRole base identityAccess managementDigital RightsManagementSecurity FunctionsKnowledge networksThe KnowledgeTransfer Cycle 2
35Control Framework is a hierarchy of accountability structures PrivacyNetwork ProtectionOperating System ProtectionUser AccessControl and AuthorizationObject IntegrityContent CertificationDigital SignaturesContent controlAccessManagementPerimeterProtectionBusinessApplicationsClients/UsersOperationalSupportInfostructureInfrastructureSecurity
36Information Security Management Framework RISK/COSTSTRATEGICRISK LEVEL: LOWTACTICALRISK LEVEL: MEDIUMOPERATIONALRISK LEVEL: HIGHBusinessRequirementsDesignDevelopmentImplementationOperationsRisk curvesSTRATEGICGovernance and policies• Policies• Standards• Procedures• Guidelines• Awareness• ResearchTACTICALApplication/system development and deployment• Design reviews• IS solutions• Due care• Risk acceptance• New technology insertionOPERATONALActive security posture• Antivirusmanagement• Vulnerabilityassessments• Intrusion detection• Incident responseIS services• Access• Key management• Security token• Other operationalservices
37Information Security Key Performance Indicators PolicyNumber of Policy ExceptionsNumber of Risk AcceptancesValue of Residual RiskProcessNumber of security issues in new projectsNumber of ID accounts (active/dead)Number of keys / digital certificates / tokensTime to respond to patches, incidentsLosses due to security incidentsPeopleNumber of certified personnelOverall capital investment ratio security to IT spendper systemper personper incidentTycho Brahe ( )
42Making The Case for Security Investments Return on Investment (ROI) has failed to demonstrate it economically because there are too many variablesBenefits hard to quantify: what’s the value of good health?Statistical data unreliable and changing fastCost avoidance not the same as cost savingsThe “language divide”: accounting vs. securityLoss of credibility more costly than loss of physical assetsTechnology substitution is not a guaranty of more capabilityTotal Security costs?Security InvestmentsHere is my pyramid to make sure you all feel this is valuable presentation This is how Technology and People can map some of our known components.Incidents Costs
43The Security Challenge: Alignment The Digital DivideTwo solitudes, in virtual isolationSecurity servicesIT processesAnti-VirusPatchesVulnerabilityAssessmentsIncidentmanagementIntrusiondetectionApplicationsecurityAccess managementKeyApplication developmentArchitectureProblem managementChangeService levelConfigurationFirewall rulesCapacityAvailabilityIT Service continuityProjectassessmentHere is my pyramid to make sure you all feel this is valuable presentation This is how Technology and People can map some of our known components.
44Maturity Framework Levels: Stages of Evolution of a system PhaseDescription0. AbsenceNothing present1. InitiationConcrete evidence of developmentCharacteristics:visible resultsmanagement reportstask/authorities definedactive rather than reactivedocumentationformal planning2. AwarenessResources allocated3. ControlFormalized4. IntegrationSynergy between processesContinuous self improvement &optimization5. Optimization
45Maturity Frameworks pedigree : The reference framework It is better not to proceed at all than to proceed without method Descartes
46Information Security Maturity model - ISO Information Technology Infrastructure Library (ITIL) SEI – CMM (Capability Maturity Model)
47A proposal for a new integrated risk framework Organizational focusBus. Req.DesignDevelopmentOperationsImplementationThe objective is to lower the overall risk through capability maturity framework integration?ISO ProjectSEI CMMITILISO 17799Risk Management through Maturity Framework alignment
48Strategic Evolution of Information Security IP levelProtocol awarePerimeter basedClosed APILimited to # of UserSingle AdminSimple ProvisioningNode BasedHeterogeneousIsland of securityUnder-maintainedPacketLevelIntegrityClosedBusinesssystemsPerimeterControlXML BasedApplication ControlContent AwareHigher valueAccessible APIMany UsersMultiple connectionsCross organization accessIntegrated Network ViewConsistent PoliciesTiered AdministrationRemote monitoring and managementApplicationAssurancesIntegratedSystemsManagedSecurityServicesTarget Security ModelPresent Security Model
49“unstructured” Documents The new Information Security challenge: Managing the “Roles and Content” via “Rights and Privileges”BusinessAutomationCompany(B2E)Partners(B2B)Customers(B2C)MobilityNumber ofDigital IDsInternetROLESClient ServerApplicationsKey Message: As the number of applications and systems that we relay on has increased, so has the number of identities that IT needs to manage and end users need to use.Key Talking Point: Our world is increasingly more connected today where the experience can often be the result of an “Application Network”, where information and logic is stored across multiple applications. To deliver a valuable experience to the end user, identity needs to flow through all of the applications. We can no longer accept a model where we have an digital identity to gain access each application.Identity management built into each application one individual, 6-10 identitiesCentralized system economies of scale, better controlhigher productivity, e.g. from 2 weeks to 2 days to set up a new employeereduced number of password resetsfaster development time (security provided, not re-developed)Growth of“unstructured” DocumentsMainframeCONTENT
50Information centric organization Content increasingly easy to collect and digitizeHas increasing importance in products and servicesIs very hard to value or priceHas a decreasing half lifeHas increasing risk exposureintegrity-qualityregulation privacy/SOXIs a significant expense in all enterprises(IT Governance – Weill and Ross)Michael C. Daconta
51Where are the risk coming from the rise of the info-structure Where is the locus of control outside the boundaries of the organization ?Information Security Management has to recognize a requirement for a content control model that is independent from a specific technical solution.Policy: RulesInfostructure: ContentInfrastructure: TechnologyTo deal with the new information security risks in “semantics management” Then the focus to content management and issues: Topic Maps, XML, RDF, UDDI, XBRL, SAML, Ontologies, And more and moreTag/ CONTENT /tagXML
52The Integrated Architecture : Content and Technology WebPDACellWeb ServerRequest and User ID /passwordCustomized XML Docs/InfoProfilesRights and PrivilegesProvisioning EngineRulesContent requestContent responseApplicationContent Management SystemApplicationApplicationApplicationStaticContentStyleSheetsSyndicationServerDataServer
53Content Classification The Architecture of the Infostructure The Ontology of Information ManagementPoliciesRule MappingFrom Policies to XMLProcessE-ContentLife CycleManagementSyntaxXMLTopic MapsRDFUDDIXBRLOutcomesArchitectureQualityOfServiceSOAPeer to PeerGroupwareRiskAssessmentOfferingsResourcesTransactionsReferencesLocationsPolicy and regulationsDirectionsContracts FinancesMarketsStandardsNetBizRosetaNetDataQualityInformationLife cycleContent ClassificationSensitivityKnowledgeROI onIntellectual CapitalTaxonomiesOrganizationsBusinessApplicationsRoles
54Information Management as Information Security NEW IMPERATIVESData ClassificationInformation stewardsContent lifecycle managementIdentity ManagementDigital Rights Management ServicesRecommended Controls ( accumulates as you go down )Examples of contentReview and sign off of Logs by stewards and custodiansSystems involved are assessed periodically and aroundsignificant changesHost/device monitoring for intrusionTrained and certified information security people involved in threview of operationsCustomer publicidentification associatedwith account informationCustomer Data with SINStrategic PlansHighlySensitiveEncryptionSeparation of DutiesSecured log files and Access ControlReview of Sample LogsTrained and certified people involved in design and operationPasswords listsCustomer NamesProject documentationCustomer SnapshotsCredit Card NumbersAccount NumbersConfidentialAssets should be labeled with ClassificationLog filesBroad Access ControlPolicy documentsRoutine ProceduresInternalContracts, Licensing, usage and log files for activity purposeNews clippingsMarket DataPublicTrained and certified information security people involved in theEncryption – anonymizing - pseudomizingHere is my pyramid to make sure you all feel this is valuable presentation This is how Technology and People can map some of our known components.
55The New Audit Space Control of Content : Digital Rights Management HR ReportingHierarchyReports toEmployeeIndividual Is aEnID Maps to ApplicationUser IDIs needed toaccess ApplicationSystemNon-EmployeeIs a Includes OccupiesApplies to EnterpriseAssetActivity GeneratesUser Interface(Desktop)IndividualPositionIs Granted Right /PrivilegeIdentifies accessneeds of role UpdatesRoleActualTargetHas a Is partof ProvisionRole Group Has aPositionRequires Is partof CPMRole GroupReports toPositionHierarchyIs at a Org Unit /LocationStandardTargetTargets arebased on
56The next level of challenge Aligning the Infostructure with the Infrastructure Organizational Complexity/CapabilityDacontaSemantic ManagementContent ManagementInfostructureArchitectureHighXML FirewallsDigital RightsManagementSecurity FunctionsRole base identityAccess managementReal Time ResponseIntrusion Detection MonitoringVulnerability AnalysisInfrastructureArchitectureVirtual Private NetworksVirus ScannersFirewallsLowReal timePassive
57The New Security Debate Space The B2B market forces are enabling standards.B2B modelsTaxonomies and ontologiesXML ProtocolsWS-Security standardsWhat protocol and standards drive your business ?Do you have an Information Security Officer debating these issues ?
58The Role of the Chief Information Security Officer Information Risk identificationInformation Risk formalizationDevelopment of practices and toolsIntegrate “root cause” analysis into governance frameworkDevolve processes from exception management into operationsImprove Information asset identification and management accountability
59The Dynamics of Systems Changes "There is no problem so complicated that you can't find a very simple answer to it if you look at it the right way."-- Douglas AdamsPink FloydNorbert WienerThe key to progress is the process of feedbackin its most simple form, two-way communication.