Increasing customer value through effective security risk management INFORMATION RISK MANAGEMENT Increasing customer value through effective security risk management ADVISORY Rob Goldberg, CISSP Associate Director, Information Risk Management KPMG Risk Advisory Services March 2005

Overview Current global state of information security Case study: measuring information security effectiveness, enterprise-wide Closing remarks

Don’t believe the hype Click through each slide and discuss how the global media “latches” on to hackers, focusing on sensationalism. This creates “fear, uncertainty, and doubt” – the FUD factor among CEOs. Key messages: 1 – Hackers ARE a real threat, but not the main one, despite what the media says 2 – There are REAL documented losses, but there are also incidents that appear to have no motive behind them (such as the New Zealand story)

What is information security? What most people think of… “It’s what keeps the hackers out.” “It’s managing access to systems through the use of IDs and passwords.” “It’s the process of encrypting data so others can’t read it.” “It’s a barrier, preventing me from doing what I need to do.” These appear one at a time. Therefore, good idea would be to start the slide then ask the audience to answer the question. Get several answers from people then show the answers. Guaranteed to get some matches.

What is information security? Confidentiality Integrity Availability Keeping sensitive information protected Keeping information intact and valid Keeping information available and accessible Industry-accepted definition for security. Following 3 slides walk through each of these areas. Key message is that although most people think about Confidentiality when you talk information security (keeping people from seeing things they shouldn’t!), the reality is that it is comprised of all three of these and in business terms, Availability and Integrity are often much more important.

What is information security? Key facets of an information security program include: People – organisation, responsibility, accountability, and leadership Process – policies, procedures, and processes Technology – scalable technical support for automation, integration, and enabling of information security operations Ultimately, information security is the method by which an organisation ensures that it has control over its information

What’s happening in the world today: cause Intent Terrorism / Industrial Espionage Nuisance / Fame Curiosity Packet Forging/ Spoofing High Stealth Diagnostics Back Doors Sweepers Sophistication of Methods Sniffers Exploiting Known Vulnerabilities Hijacking Sessions Disabling Audits Self Replicating Code Technical Knowledge Required Password Cracking Key message is that unlike 20 years ago anyone can download a tool from the Internet and wreak havoc. Wouldn’t be a big deal if (1) we hadn’t become so dependent on technology and (2) the intent of the “bad guys” has gone from curiosity to terrorism. There’s much more at stake. Password Guessing Low 1980 1990 2000+

What’s happening in the world today: cause Terrorism threat / vulnerability is a clear and present danger HUGE increase in regulatory pressure Increasing pressure on 3rd party relationships / offshoring Larger impacts from worms / viruses (Sasser) Realisation that traditional model (IT security) doesn’t work Increasing realisation that standards-based approaches are best Audit committees, boards of directors and sr. execs more aware Phishing is currently the fastest-growing crime area

What’s happening in the world today: effect Increasing use of standards (ISO17799) Reporting on information security to board and audit committee Formal responsibilities of senior management for security Organisational changes to support increased visibility of security Increase in awareness programs (customers, suppliers and employees) Greater involvement of security in contract development Governments globally enforcing security-related regulations Companies adopting a “no security, no service” attitude

What’s happening in the world today: effect Board of Directors Business Partners Customers Shareholders Current Trend of Focus Supply Chain Organisation Business Process Re-visiting earlier slide – new focus is on increasing the areas of influence for information security. ONLY leading organisations (very few, globally) are doing this, but the trend will be to increase the scope of information security and use it to protect the interests of the stakeholders. Infrastructure

Case study: measuring information security effectiveness, enterprise-wide Business process focus: how well does security support execution of business strategy? Evaluation of business processes / sub-processes to understand risks associated with confidentiality, integrity, and availability of information assets Part of ongoing program – not a point-in-time assessment Results reported to the Board and Audit Committee Scorecard highlights key areas of risk

Business process example Authorization, Authentication, Interfaces Policy, People, Procedures, Contracts Table / Row Security, Critical Data Elements Filesystem, Trust, Platform Security Segmentation, Architecture, Management Components Tests SAP Manufacturing Oracle Unix Cisco / NOS Application Business Process Database Host Network

Risk = Asset Value * Threat * Vulnerability Business risk defined Business risk is the result of aggregated risks associated with your information security program and architecture Risk = Asset Value * Threat * Vulnerability SAP Manufacturing Oracle Unix Cisco / NOS

Security risk scorecard example

Security risk trending analysis

A holistic approach = customer value Recommended Approach High High Stakeholders Organisation Few Companies Strong Business Impact Business Process Application Data Security Maturity Business Value Host A graphical way to represent a “top-down” holistic approach to information security that focuses on the areas that have the most business impact. This slide ties together ALL of the messages from the entire presentation. Most Companies Commodity Network Traditional Approach Physical Low Low = Current global industry maturity level

Closing remarks Countries around the world have (and will continue to have) a lot of lessons learned. Take advantage of this! Australia is not immune from the regulatory pressures elsewhere (e.g. SOX) – so use pressure to drive continuous improvement Realise that being proactive will drive lower cost of solutions Adopt standards-based approaches (e.g. ISO/IEC 17799) At a minimum ensure “duty of care” Focus on security from a top-down, holistic point of view – this will drive customer value and competitive advantage

The KPMG logo and name are trademarks of KPMG. Presenter’s contact details Rob Goldberg Associate Director National Security Services Leader (02) 9335 7728 rhgoldberg@kpmg.com.au www.kpmg.com.au The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.