Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robert Garigue VP and Chief Information Security Officer

Similar presentations

Presentation on theme: "Robert Garigue VP and Chief Information Security Officer"— Presentation transcript:

1 Robert Garigue VP and Chief Information Security Officer
Controlling Order and Disorder The evolving role of the CISO within the new structures of Information Systems

2 Outline of our expedition
Background and Analysis Frameworks Business models The nature of the threats The strategic information security framework Environmental factors Information security processes Evolution of information security functions Alignment and Integration challenges Emerging new risks and concerns Reflections on the nature and evolving role of the Chief Information Security Officer Travels in a foreign land

3 BMO Financial Group Founded in 1817 – First Canadian Bank
Highly diversified financial institution retail banking wealth management investment banking Assets of $256 billion at October 31, 2003 34,000 employees Strong presence in US Mid-West through Harris Bankcorp Overseas offices around the world Who is BMO Financial Group?

4 Metrics of the Digital BMO
200+ Mainframes 276+ Open System Business Critical Applications Desktops 2500 support servers 6000 main network devices 165 Terabytes of data storage 50%+ a year Several Million Transactions/sec

5 Myths and Realities For some the world is a multidimensional place
…and for other… it is still flat… There are always Myths and Realities.

6 An evolving organizational context : Information Society
Some of the New Realities: Information based productivity Computer mediated decisions Rise of the knowledge worker Network centric structures and value chains Command and Control hierarchies are displaced by Cooperative, Commutative and Coordinated organizations “a burden shared is a burden halved .. an intellectual asset shared is one doubled”

7 The Integrated Informational Value-Chain
Linked Complementary Interdependent From Goods or Services To Goods with Services

8 Information Flows : Health Care Ecosystem

9 The impact will be felt in the three realms of cyberspace
Physical Process Content

10 The Evolution of the Noosphere (Teilhard de Chardin )
Ubiquitous Trusted Affective Advisory Always on Social Main Frame Client Server Mobile and Peer to Peer Organizations (command and control) Individuals (cooperation, coordination, and communication) focus

11 It is full of Risk: These are the shape of “Things Now Dead”

12 But there will always be conflict between Open systems and Closed systems…. Violent conflict …
Pablo Picasso. Guernica Oil on canvas. Museo del Prado, Madrid, Spain

13 Zero-day virus Slammer – 30 minutes later

14 Information Security: A new oxymoron
The debate

15 Arguments For Getting Funding : Levels of Maturity of the Organization
Fear, Uncertainty and Despair: “The Hackers, virus, will get us unless..” The Heard Mentality: “The king needs Taxes”… The Analytical ROI ? “Investment in Intrusion Prevention Systems are better than”… Arguments that have yet to come: “Because we can take on more business and manage more risks” (brakes enable cars can go faster)

16 Information Security – Managing Expectations Sometimes it is just a communication issue…

17 Consequence A: Information Security Officer as The Jester
Sees a lot Can tell the king he has no clothes Can tell the king he really is ugly Does not get killed by the king Nice to have around but…how much security improvement comes from this ?

18 Consequence B: Information Security Officer as Road Kill
Changes happened faster that he was able to move Did not read the signs Good intentions went unfulfilled A brutal way to ending a promising career Sad to have around but…how much security improvement comes from this ?

19 Maybe a better model for CISO: Charlemagne
King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons ( ) - reunited much of Europe after the Dark Ages. He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script. He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people. He relied on Counts, Margraves and Missi Domini to help him. Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire. Missi Domini - Messengers of the King.

20 Knowledge of “risky things” is of strategic value
How to know today tomorrow’s unknown ? How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ? This is the mandate of information security.

21 The Interconnected Societies: the critical Infrastructure
TELECOM SERVICES LAYER TRANSPORT SERVICES LAYER TERRAIN LAYER FEATURE LAYER PHYSICAL BACKBONE LAYER GEOGRAPHICAL MAP LAYER OPERATIONS LAYER TECHNICAL APLICATION CONTROL (Geo-political boundaries) (Elevation) (Land Use, Cities, Buildings, Towers) (Cables, Fiber Routes, Satellites) (SONET Rings, ATM, PSTN) (Internet, Data, Voice, Fax) Sector Dependent Layers Common TELECOM UTILITIES Billing & Resource Planning Load Balancing Reliability SS7 SCADA FINANCIAL Payment Internet Banking Financial Services Utilities Stock / Financial Exchanges POS Terminals ATMs GOV HEALTH CARE Billing Administration Diagnostics Electronic Records Hospitals Labs & Clinics Pharmacies HL7 LAYERS Legislation Taxation Law - Order Secure channels Prov, and Fed Grid / Pipeline Monitoring & Control

22 Indicators and warnings External environment : the rates of evolutions
16 new malware products launched every day: viruses, worms, trojan horses, spyware etc 7 new vulnerabilities discovered every day 20 minutes guaranty Probes against Financial Institutions web sites launched every 6 seconds Social engineering is on the rise: People are the weak link Hackers Script kiddies Industrial espionage Cyber-terrorists, Competitors Suppliers Here is my pyramid to make sure you all feel this is valuable presentation  This is how Technology and People can map some of our known components.

23 Indicators and warnings : Threats and targets
The McKinsey Quarterly, 2002 Number 2 Risk and resilience Daniel F. Lohmeyer, Jim McCrory, and Sofya Pogreb

24 Manufacturing exploits: The electronic Petrie Dish Malware : spyware + trojan + spam + exploits + social engineering

25 Indicators and warnings How money was lost – Rough order of magnitude (ROM)
Here is my pyramid to make sure you all feel this is valuable presentation  This is how Technology and People can map some of our known components. Source: CFI/FBI Report 2003 530 US based corporations, government and educ. inst.

26 Identity Theft in Canada

27 Hacking Beliefs Identity Theft
One of the fastest growing crimes. Statistics Canada reports 13,359 cases, $21.5 million losses in 2003 Account takeover (credit cards, bank accounts) Application fraud (open new accounts with victim’s ID) Industry needs improved identity management solutions and strong public awareness Phishing (using scams to collect confidential information) Key issues: detection, shutting down bogus sites, customer awareness Banks are posting warnings on their public sites, and updating security page information with “Q&A” type of information.

28 Emergent Complexity : Spam Space as Risk

29 Structuring Risks An Organizational Risk Categorization Taxonomy

30 Structuring Risks Regulatory Environment: where are the controls ?
Privacy Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) - U.S California Law SB California HIPPA (Health) Office of the Superintendent of Financial Institutions (OSFI) – Canada - Guideline B10 The Financial Services Authority (FSA) – England - OS Section 4 Federal Financial Institutions Examination Council (FFIEC) - U. S. Office of the Comptroller of the Currency (OCC) - U.S. OCC The Bank Act - OSFI – Canada – Guidelines B6, B7, B10 Federal Financial Institutions Examination Council (FFIEC) - U.S. SP-5 Policy Sarbanes- Oxley Act (SOX) - U.S. Bill Canada SEC Rule 17a-4 Basel II Accord European Union Directives on Information Security Canada’s National Security Program Patriot Act - US Here is my pyramid to make sure you all feel this is valuable presentation  This is how Technology and People can map some of our known components. Security

31 Regulatory Penalties & Fines Grid
Name of Regulatory Mandate Some Potential Penalties Potential Fines SOA 20 years in prison $15 million Basel II Regulatory agency penalties: vary by G-20 country Regulatory agency fines: vary by G-20 country HIPAA 10 years in prison $250,000 GLBA $1 million Patriot Act Dod Failure to qualify for DoD contract; Contract breach; FAR penalties Contract penalties California SB 1386 Unfair trade practice law penalties: vary by state Private civil and class actions; unfair trade practice law fines: vary by state SEC Rule 17a-4 Suspension/expulsion $1 million+

32 Emergent Behaviors: An Ecological View of Organizational Risk
Organizational accumulated technical residual risk =  Environment priorities compliance reviews resources + Tech Residual Risks The market Drivers standards + + + audit - - + - Governance bodies Inet, Ipt, ARB, etc + Education awareness The information infrastructure - + outsourcing projects Tech Residual Risks practices + - - + Risk mangt - Active Information Security Strategy threats Network Security Council Lob RISK officers - - - laws IPC RCSA New Technology Capital AtRisk - Data Classif. Identity mangt Alerts Certificates - Vulner. Analysis Access mangt Crypto policy escalations

33 Information Security organization as result of the knowledge transfer process
Transfer Cycle Passive Real time High Complexity/Capability Organizational Low Virtual Private Networks Firewalls Virus Scanners Intrusion Detection Monitoring Vulnerability Analysis Real Time Response Role base identity Access management Digital Rights Management Security Functions Technical Threats

34 Knowledge transfer The Knowledge Transfer Cycle 2 Security Functions
BMO IS CBA FI CIRT & other Banks Vendors FIRST Projects PSECP CANCERT Clients and Businesses wireless Info/infra structure Utilities Health Telecom Passive Real time High Complexity/Capability Organizational Low Virtual Private Networks Firewalls Virus Scanners Intrusion Detection Monitoring Vulnerability Analysis Real Time Response Role base identity Access management Digital Rights Management Security Functions Knowledge networks The Knowledge Transfer Cycle 2

35 Control Framework is a hierarchy of accountability structures
Privacy Network Protection Operating System Protection User Access Control and Authorization Object Integrity Content Certification Digital Signatures Content control Access Management Perimeter Protection Business Applications Clients/Users Operational Support Info structure Infra structure Security

36 Information Security Management Framework
RISK/COST STRATEGIC RISK LEVEL: LOW TACTICAL RISK LEVEL: MEDIUM OPERATIONAL RISK LEVEL: HIGH Business Requirements Design Development Implementation Operations Risk curves STRATEGIC Governance and policies • Policies • Standards • Procedures • Guidelines • Awareness • Research TACTICAL Application/system development and deployment • Design reviews • IS solutions • Due care • Risk acceptance • New technology insertion OPERATONAL Active security posture • Antivirus management • Vulnerability assessments • Intrusion detection • Incident response IS services • Access • Key management • Security token • Other operational services

37 Information Security Key Performance Indicators
Policy Number of Policy Exceptions Number of Risk Acceptances Value of Residual Risk Process Number of security issues in new projects Number of ID accounts (active/dead) Number of keys / digital certificates / tokens Time to respond to patches, incidents Losses due to security incidents People Number of certified personnel Overall capital investment ratio security to IT spend per system per person per incident Tycho Brahe ( )

38 Information Security Key Performance Metrics

39 Microsoft Patch Deployment
Emergency Accelerated Normal Note: April 2004 release required 4 separate patches

40 Active security posture – Vulnerability Analysis results
CWAN Capital Markets Nesbitt Burns

41 Quarterly Information Security Dashboard
9 Training Last Q Forecast Posture 21 20 19 18 17 16 15 14 13 12 11 8 7 6 Details on Page Education & Awareness Analytics/ reporting Business Analytics Remote Access CSPIN (devices) Access Management Encryption (PKI) Key Management Information Security Operations Response/Management Intrusion Detection Vulnerability Assessment Anti Virus Information Protection Centre Project Assessments Standards & Architecture IS Policy & Strategy Security Practices & Technology Enterprise Information Security Service Information Security Group Legend =Key Issues =positive trend =negative trend =stable = unsatisfactory = fully satisfactory

42 Making The Case for Security Investments
Return on Investment (ROI) has failed to demonstrate it economically because there are too many variables Benefits hard to quantify: what’s the value of good health? Statistical data unreliable and changing fast Cost avoidance not the same as cost savings The “language divide”: accounting vs. security Loss of credibility more costly than loss of physical assets Technology substitution is not a guaranty of more capability Total Security costs ? Security Investments Here is my pyramid to make sure you all feel this is valuable presentation  This is how Technology and People can map some of our known components. Incidents Costs

43 The Security Challenge: Alignment
The Digital Divide Two solitudes, in virtual isolation Security services IT processes Anti-Virus Patches Vulnerability Assessments Incident management Intrusion detection Application security Access management Key Application development Architecture Problem management Change Service level Configuration Firewall rules Capacity Availability IT Service continuity Project assessment Here is my pyramid to make sure you all feel this is valuable presentation  This is how Technology and People can map some of our known components.

44 Maturity Framework Levels: Stages of Evolution of a system
Phase Description 0. Absence Nothing present 1. Initiation Concrete evidence of development Characteristics: visible results management reports task/authorities defined active rather than reactive documentation formal planning 2. Awareness Resources allocated 3. Control Formalized 4. Integration Synergy between processes Continuous self improvement & optimization 5. Optimization

45 Maturity Frameworks pedigree : The reference framework
It is better not to proceed at all than to proceed without method Descartes

46 Information Security Maturity model - ISO Information Technology Infrastructure Library (ITIL) SEI – CMM (Capability Maturity Model)

47 A proposal for a new integrated risk framework
Organizational focus Bus. Req. Design Development Operations Implementation The objective is to lower the overall risk through capability maturity framework integration ? ISO Project SEI CMM ITIL ISO 17799 Risk Management through Maturity Framework alignment

48 Strategic Evolution of Information Security
IP level Protocol aware Perimeter based Closed API Limited to # of User Single Admin Simple Provisioning Node Based Heterogeneous Island of security Under-maintained Packet Level Integrity Closed Business systems Perimeter Control XML Based Application Control Content Aware Higher value Accessible API Many Users Multiple connections Cross organization access Integrated Network View Consistent Policies Tiered Administration Remote monitoring and management Application Assurances Integrated Systems Managed Security Services Target Security Model Present Security Model

49 “unstructured” Documents
The new Information Security challenge: Managing the “Roles and Content” via “Rights and Privileges” Business Automation Company (B2E) Partners (B2B) Customers (B2C) Mobility Number of Digital IDs Internet ROLES Client Server Applications Key Message: As the number of applications and systems that we relay on has increased, so has the number of identities that IT needs to manage and end users need to use. Key Talking Point: Our world is increasingly more connected today where the experience can often be the result of an “Application Network”, where information and logic is stored across multiple applications. To deliver a valuable experience to the end user, identity needs to flow through all of the applications. We can no longer accept a model where we have an digital identity to gain access each application. Identity management built into each application  one individual, 6-10 identities Centralized system  economies of scale, better control higher productivity, e.g. from 2 weeks to 2 days to set up a new employee reduced number of password resets faster development time (security provided, not re-developed) Growth of “unstructured” Documents Mainframe CONTENT

50 Information centric organization
Content increasingly easy to collect and digitize Has increasing importance in products and services Is very hard to value or price Has a decreasing half life Has increasing risk exposure integrity-quality regulation privacy/SOX Is a significant expense in all enterprises (IT Governance – Weill and Ross) Michael C. Daconta

51 Where are the risk coming from the rise of the info-structure
Where is the locus of control outside the boundaries of the organization ? Information Security Management has to recognize a requirement for a content control model that is independent from a specific technical solution. Policy: Rules Infostructure: Content Infrastructure: Technology To deal with the new information security risks in “semantics management” Then the focus to content management and issues: Topic Maps, XML, RDF, UDDI, XBRL, SAML, Ontologies, And more and more Tag/ CONTENT /tag XML

52 The Integrated Architecture : Content and Technology
Web PDA Cell Web Server Request and User ID /password Customized XML Docs/Info Profiles Rights and Privileges Provisioning Engine Rules Content request Content response Application Content Management System Application Application Application Static Content Style Sheets Syndication Server Data Server

53 Content Classification
The Architecture of the Infostructure The Ontology of Information Management Policies Rule Mapping From Policies to XML Process E-Content Life Cycle Management Syntax XML Topic Maps RDF UDDI XBRL Outcomes Architecture Quality Of Service SOA Peer to Peer Groupware Risk Assessment Offerings Resources Transactions References Locations Policy and regulations Directions Contracts Finances Markets Standards NetBiz RosetaNet Data Quality Information Life cycle Content Classification Sensitivity Knowledge ROI on Intellectual Capital Taxonomies Organizations Business Applications Roles

54 Information Management as Information Security
NEW IMPERATIVES Data Classification Information stewards Content lifecycle management Identity Management Digital Rights Management Services Recommended Controls ( accumulates as you go down ) Examples of content Review and sign off of Logs by stewards and custodians Systems involved are assessed periodically and around significant changes Host/device monitoring for intrusion Trained and certified information security people involved in th review of operations Customer public identification associated with account information Customer Data with SIN Strategic Plans Highly Sensitive Encryption Separation of Duties Secured log files and Access Control Review of Sample Logs Trained and certified people involved in design and operation Passwords lists Customer Names Project documentation Customer Snapshots Credit Card Numbers Account Numbers Confidential Assets should be labeled with Classification Log files Broad Access Control Policy documents Routine Procedures Internal Contracts, Licensing, usage and log files for activity purpose News clippings Market Data Public Trained and certified information security people involved in the Encryption – anonymizing - pseudomizing Here is my pyramid to make sure you all feel this is valuable presentation  This is how Technology and People can map some of our known components.

55 The New Audit Space Control of Content : Digital Rights Management
HR Reporting Hierarchy Reports to Employee Individual  Is a EnID Maps to  Application User ID Is needed to access  Application System Non- Employee Is a  Includes  Occupies Applies to  Enterprise Asset Activity  Generates User Interface (Desktop) Individual Position Is Granted  Right / Privilege Identifies access needs of role  Updates Role Actual Target Has a  Is part of  Provision Role Group  Has a Position Requires  Is part of  CPM Role Group Reports to Position Hierarchy Is at a  Org Unit / Location Standard Target Targets are based on

56 The next level of challenge Aligning the Infostructure with the Infrastructure
Organizational Complexity/Capability Daconta Semantic Management Content Management Infostructure Architecture High XML Firewalls Digital Rights Management Security Functions Role base identity Access management Real Time Response Intrusion Detection Monitoring Vulnerability Analysis Infrastructure Architecture Virtual Private Networks Virus Scanners Firewalls Low Real time Passive

57 The New Security Debate Space
The B2B market forces are enabling standards. B2B models Taxonomies and ontologies XML Protocols WS-Security standards What protocol and standards drive your business ? Do you have an Information Security Officer debating these issues ?

58 The Role of the Chief Information Security Officer
Information Risk identification Information Risk formalization Development of practices and tools Integrate “root cause” analysis into governance framework Devolve processes from exception management into operations Improve Information asset identification and management accountability

59 The Dynamics of Systems Changes
"There is no problem so complicated that you can't find a very simple answer to it if you look at it the right way." -- Douglas Adams Pink Floyd Norbert Wiener The key to progress is the process of feedback in its most simple form, two-way communication.

60 Social Engineering … at its best…

61 The future of information security is bright ..
Become a CISO and survive

62 Colophon

63 Thank you

Download ppt "Robert Garigue VP and Chief Information Security Officer"

Similar presentations

Ads by Google