Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm.

Published byDarren Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm."— Presentation transcript:

1 Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm

2 Copyright 2004 Integrity Incorporated 2 Things we should go over Background Information Identifying Risks Relationship between Privacy & Security What Causes Security & Privacy Risks Using a Risk Management Approach Risk and Vulnerability Assessment Protecting Privacy & Security Security & Privacy Management Capabilities Maturity Model Case Study!

3 Copyright 2004 Integrity Incorporated 3 But first, how mature do you think you are? From 1 to 5, rate yourself: on policy, process & procedures on privacy & security on technology 1 2 3 4 5

4 Copyright 2004 Integrity Incorporated Identifying Risks What is at Risk? Assets of the organization include – Secrets – $$ – Time, effort – People

5 Copyright 2004 Integrity Incorporated 5 What else is at Risk? –Public trust in the organization PR risk May impede ability of the organization to operate effectively –Operational capabilities of the organization Can be disrupted by unauthorized system modifications Can be disrupted by Denial of Service and Distributed Denial of Service attacks

6 Copyright 2004 Integrity Incorporated 6 And still more –Your clients Privacy of clients’ personal information Legally protected (legislation) Contractually protected (policy, contract) What information must be protected? –Accuracy of clients’ personal information Legal requirements Operational necessity

7 Copyright 2004 Integrity Incorporated 7 Identifying Risks

8 Copyright 2004 Integrity Incorporated 8 The Relationship between Privacy & Security Privacy legislation –Which legislation applies to your organization? –What information is governed? –What controls need to be in place? For how long? –FIPPA (municipal, provincial) –Personal Information Protection and Electronic Documents Act (PIPEDA - Jan 2004 - federal)

9 Copyright 2004 Integrity Incorporated 9 The Relationship between Privacy & Security “Personal Information” is protected –Restrictions on use –Restrictions on sharing –Requirements for control access, updating alteration protection

10 Copyright 2004 Integrity Incorporated 10 The Relationship between Privacy & Security Privacy is one part of the overall online security challenge –Protection of information in storage (databases, files, documents, etc.) –Protection of information in transmission (web forms, wireless, transactions, uploads, etc.) –Protection of information through media transformation (print forms, data entry, ivr, contact center, etc.)

11 Copyright 2004 Integrity Incorporated 11 The Relationship between Privacy & Security Security also includes: –Data integrity In storage In transmission –System integrity –Confidentiality Of data Of processes Authentication (persons and data) Non-repudiation Availability Checks and balances, audits, reporting

12 Copyright 2004 Integrity Incorporated integrityavailability confidentiality C I A security The Relationship between Privacy & Security

13 Copyright 2004 Integrity Incorporated 13 The Relationship between Privacy & Security Provide examples of issues which impact your organization re: –Privacy –Integrity –Authentication –Non-repudiation security C I A

14 Copyright 2004 Integrity Incorporated Technical vulnerabilities Fraud Operational issues The bad guys What Causes Security & Privacy Risks

15 Copyright 2004 Integrity Incorporated 15 Technical vulnerabilities Technical faults Software bugs, incorrect documentation Misconfiguration –software, servers, firewalls / security systems, routers –various other network elements Hardware failure –lack of redundancy –poor maintenance schedule

16 Copyright 2004 Integrity Incorporated 16 More technical vulnerabilities Poor technical architecture Lack of –appropriate perimeter defenses –intrusion detection systems –adequate access controls –adequate authentication systems –adequate authorization controls

17 Copyright 2004 Integrity Incorporated 17 Fraud Intentional misrepresentation By clients By staff By company executives External parties misrepresenting the company

18 Copyright 2004 Integrity Incorporated 18 –Insufficient checks & balances peer review periodic internal review external audit –Human error –Faulty procedures –Undocumented or missing procedures –Lack of standardization Operational issues Do you have: G a security awareness program G a readable security policy G an incident response plan

19 Copyright 2004 Integrity Incorporated 19 –Lack of a clear policy framework –Poor real-time handling of security incidents –Lack of privacy awareness among all staff –Lack of security awareness among all staff –Extreme shortage of security skills among IT staff More operational issues Do you have: G a business continuity plan G a disaster recovery plan G a backup and recovery system

20 Copyright 2004 Integrity Incorporated 20 Bad guys –Amateur hackers –Well-intentioned researchers –Malicious professionals –Financially motivated professionals (your loss, their gain)

21 Copyright 2004 Integrity Incorporated 21 What Causes Security & Privacy Risks What high-level approach does your organization use today to address security & privacy issues? How effective is it?

22 Copyright 2004 Integrity Incorporated The Risk Management Approach to Security & Privacy Strategy You can’t eliminate 100% of risks…

23 Copyright 2004 Integrity Incorporated The Risk Management Approach to Security & Privacy Strategy … but you can develop a risk management framework which...

24 Copyright 2004 Integrity Incorporated 24 –takes a strategic approach –provides a disciplined cost-benefit framework –establishes clear high-level policies to guide tactical decision-making –provides detailed processes & procedures A Risk Management Framework

25 Copyright 2004 Integrity Incorporated 25 –specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks –sets technical standards –justifies security & privacy expenditures on both an economic & a legislative basis A Risk Management Framework

26 Copyright 2004 Integrity Incorporated 26  Driven by risk analysis –Types of risks X Probabilities of risk X Costs of losses –Types of risk mitigation - impact on probabilities and losses  High-level security & privacy mandate - policies!  Accountability in all risk-related activities  Success factors –Continuous Improvement –Dynamic response to new threats The Risk Management Approach: Key Components

27 Copyright 2004 Integrity Incorporated 27 Continuous Security Framework Okay, this is for the CSO.

28 Copyright 2004 Integrity Incorporated 28 flowofcontrolflowofcontrol flow of knowledge verification Continuous Security Framework

29 Copyright 2004 Integrity Incorporated 29 Metrics & Continuous Improvement Continuous Security Framework

30 Copyright 2004 Integrity Incorporated 30 Continuous Security Framework

31 Copyright 2004 Integrity Incorporated 31 The Risk Management Approach to Security & Privacy Strategy Map out the high-level steps your organization needs to take to use a risk- management approach to privacy and security.

32 Copyright 2004 Integrity Incorporated Risk and Vulnerability Assessment Risk vs. Vulnerability Risk is economic & legal Vulnerability is technical & procedural

33 Copyright 2004 Integrity Incorporated 33 Quantifying risk Economic Risk ($) = Types of risks  Probabilities of risk (%)  Costs of losses ($)

34 Copyright 2004 Integrity Incorporated 34 Assessing vulnerability –Technical Attack & Penetration Testing Network Security Review –Procedural Privacy Impact Assessment Policy Audit Processes & Procedures Audit

35 Copyright 2004 Integrity Incorporated 35 Risk and Vulnerability Assessment Estimate the outcomes which would result if your organization were to undergo: –A thorough Attack & Penetration test? –A thorough Network Security Review? –A thorough Privacy Policies Audit? –A thorough Operational Security (Processes & Procedures) Audit?

36 Copyright 2004 Integrity Incorporated Protecting Privacy & Security Technology solutions Procedural solutions

37 Copyright 2004 Integrity Incorporated 37 Technology solutions –Firewalls  privacy, integrity, authentication –Encryption  privacy Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.

38 Copyright 2004 Integrity Incorporated 38 Technology solutions –Passwords  authentication Risks: reusable passwords, plaintext protocols –Tokens  authentication –Certificates  authentication –Intrusion Detection Systems / IDS  integrity, privacy

39 Copyright 2004 Integrity Incorporated 39 Technology solutions –Digital signatures  integrity, authentication, non-repudiation –PKI  privacy, authentication, integrity, non- repudiation –PMI  authorization, privacy, authentication, integrity

40 Copyright 2004 Integrity Incorporated 40 Procedural solutions –“Need to know” (principle of least privilege)  privacy –Change controls  privacy, authentication, integrity, non-repudiation

41 Copyright 2004 Integrity Incorporated 41 Procedural solutions –Audit processes  increased assurance re. all factors –Technical standardization  privacy, authentication, integrity, non-repudiation

42 Copyright 2004 Integrity Incorporated 42 Protecting Privacy & Security What are the primary methods (procedural / technological) used by your organization to: –Protect privacy –Perform authentication –Ensure non-repudiation for online transactions –Maintain data and systems integrity

43 Copyright 2004 Integrity Incorporated Security & Privacy Management Capabilities Maturity Model (TM)

44 Copyright 2004 Integrity Incorporated 44 –Measuring success using a baseline Proprietary, standardized Based on CERT’s Systems Security Engineering Capability Maturity Model –Provides maturity metrics on high-level organizational security and privacy capabilities Security & Privacy Management Capabilities Maturity Model (TM)

45 Copyright 2004 Integrity Incorporated 45 –Organization handles Security & Privacy issues informally –Organization does not have documented Security & Privacy policies SPM-CMM (TM) Level 1 1

46 Copyright 2004 Integrity Incorporated 46 –Organization has documented Security & Privacy policies –Organization has assigned resources to plan Security & Privacy initiatives –Effective training programs re. Security & Privacy –Organization has effective processes to verify compliance with Security & Privacy policies 2 SPM-CMM (TM) Level 2

47 Copyright 2004 Integrity Incorporated 47 –Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards) –Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements 3 SPM-CMM (TM) Level 3

48 Copyright 2004 Integrity Incorporated 48 4 –Organization has measurable, quantitative Security & Privacy goals –Organization tracks objective performance relative to Security & Privacy goals –Strong individual accountability SPM-CMM (TM) Level 4

49 Copyright 2004 Integrity Incorporated 49 5 –Organization has an effective Continuous Improvement program for Security & Privacy –Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback SPM-CMM (TM) Level 5

50 Copyright 2004 Integrity Incorporated 50 Security & Privacy Management Capabilities Maturity Model (TM) 5 1

51 Copyright 2004 Integrity Incorporated 51 Important considerations: –What is the impact of moving to the next maturity level? –What changes to technologies, processes, and policy would you need to make? Security & Privacy Management Capabilities Maturity Model (TM)

52 Copyright 2004 Integrity Incorporated Long-Distance Health Care / Privacy Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs Cost effective communication required - a private network using internet technologies Maintain privacy - information shared between organizations, across borders Security technology, policy reviews Privacy policies of all organizations amalgamated Most stringent policy had to apply to all to ensure that all policies were met

53 Copyright 2004 Integrity Incorporated 53 SPM-CMM (TM) Level 1 Level 2 Results Policy review for all organizations Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy Training to properly handle exchange of information - varying legislative jurisdictions Services Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training

54 Copyright 2004 Integrity Incorporated Where do you rank your organization on the SPM-CMM (TM) ? For security? For privacy? Overall?

55 Copyright 2004 Integrity Incorporated Thank you!!!! Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated www.integrityincorporated.com/subscribe.aspx

56 Copyright 2004 Integrity Incorporated www.integrityincorporated.com/subscribe.aspx Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm

Download ppt "Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm."

Similar presentations

Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google