Presentation is loading. Please wait.

Presentation is loading. Please wait.

Increasing customer value through effective security risk management

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Increasing customer value through effective security risk management"— Presentation transcript:

1 Increasing customer value through effective security risk management
INFORMATION RISK MANAGEMENT Increasing customer value through effective security risk management ADVISORY Rob Goldberg, CISSP Associate Director, Information Risk Management KPMG Risk Advisory Services March 2005

2 Overview Current global state of information security
Case study: measuring information security effectiveness, enterprise-wide Closing remarks

3 Don’t believe the hype Click through each slide and discuss how the global media “latches” on to hackers, focusing on sensationalism. This creates “fear, uncertainty, and doubt” – the FUD factor among CEOs. Key messages: 1 – Hackers ARE a real threat, but not the main one, despite what the media says 2 – There are REAL documented losses, but there are also incidents that appear to have no motive behind them (such as the New Zealand story)

4 What is information security?
What most people think of… “It’s what keeps the hackers out.” “It’s managing access to systems through the use of IDs and passwords.” “It’s the process of encrypting data so others can’t read it.” “It’s a barrier, preventing me from doing what I need to do.” These appear one at a time. Therefore, good idea would be to start the slide then ask the audience to answer the question. Get several answers from people then show the answers. Guaranteed to get some matches.

5 What is information security?
Confidentiality Integrity Availability Keeping sensitive information protected Keeping information intact and valid Keeping information available and accessible Industry-accepted definition for security. Following 3 slides walk through each of these areas. Key message is that although most people think about Confidentiality when you talk information security (keeping people from seeing things they shouldn’t!), the reality is that it is comprised of all three of these and in business terms, Availability and Integrity are often much more important.

6 What is information security?
Key facets of an information security program include: People – organisation, responsibility, accountability, and leadership Process – policies, procedures, and processes Technology – scalable technical support for automation, integration, and enabling of information security operations Ultimately, information security is the method by which an organisation ensures that it has control over its information

7 What’s happening in the world today: cause
Intent Terrorism / Industrial Espionage Nuisance / Fame Curiosity Packet Forging/ Spoofing High Stealth Diagnostics Back Doors Sweepers Sophistication of Methods Sniffers Exploiting Known Vulnerabilities Hijacking Sessions Disabling Audits Self Replicating Code Technical Knowledge Required Password Cracking Key message is that unlike 20 years ago anyone can download a tool from the Internet and wreak havoc. Wouldn’t be a big deal if (1) we hadn’t become so dependent on technology and (2) the intent of the “bad guys” has gone from curiosity to terrorism. There’s much more at stake. Password Guessing Low 1980 1990 2000+

8 What’s happening in the world today: cause
Terrorism threat / vulnerability is a clear and present danger HUGE increase in regulatory pressure Increasing pressure on 3rd party relationships / offshoring Larger impacts from worms / viruses (Sasser) Realisation that traditional model (IT security) doesn’t work Increasing realisation that standards-based approaches are best Audit committees, boards of directors and sr. execs more aware Phishing is currently the fastest-growing crime area

9 What’s happening in the world today: effect
Increasing use of standards (ISO17799) Reporting on information security to board and audit committee Formal responsibilities of senior management for security Organisational changes to support increased visibility of security Increase in awareness programs (customers, suppliers and employees) Greater involvement of security in contract development Governments globally enforcing security-related regulations Companies adopting a “no security, no service” attitude

10 What’s happening in the world today: effect
Board of Directors Business Partners Customers Shareholders Current Trend of Focus Supply Chain Organisation Business Process Re-visiting earlier slide – new focus is on increasing the areas of influence for information security. ONLY leading organisations (very few, globally) are doing this, but the trend will be to increase the scope of information security and use it to protect the interests of the stakeholders. Infrastructure

11 Case study: measuring information security effectiveness, enterprise-wide
Business process focus: how well does security support execution of business strategy? Evaluation of business processes / sub-processes to understand risks associated with confidentiality, integrity, and availability of information assets Part of ongoing program – not a point-in-time assessment Results reported to the Board and Audit Committee Scorecard highlights key areas of risk

12 Business process example
Authorization, Authentication, Interfaces Policy, People, Procedures, Contracts Table / Row Security, Critical Data Elements Filesystem, Trust, Platform Security Segmentation, Architecture, Management Components Tests SAP Manufacturing Oracle Unix Cisco / NOS Application Business Process Database Host Network

13 Risk = Asset Value * Threat * Vulnerability
Business risk defined Business risk is the result of aggregated risks associated with your information security program and architecture Risk = Asset Value * Threat * Vulnerability SAP Manufacturing Oracle Unix Cisco / NOS

14 Security risk scorecard example

15 Security risk trending analysis

16 A holistic approach = customer value
Recommended Approach High High Stakeholders Organisation Few Companies Strong Business Impact Business Process Application Data Security Maturity Business Value Host A graphical way to represent a “top-down” holistic approach to information security that focuses on the areas that have the most business impact. This slide ties together ALL of the messages from the entire presentation. Most Companies Commodity Network Traditional Approach Physical Low Low = Current global industry maturity level

17 Closing remarks Countries around the world have (and will continue to have) a lot of lessons learned. Take advantage of this! Australia is not immune from the regulatory pressures elsewhere (e.g. SOX) – so use pressure to drive continuous improvement Realise that being proactive will drive lower cost of solutions Adopt standards-based approaches (e.g. ISO/IEC 17799) At a minimum ensure “duty of care” Focus on security from a top-down, holistic point of view – this will drive customer value and competitive advantage

18 The KPMG logo and name are trademarks of KPMG.
Presenter’s contact details Rob Goldberg Associate Director National Security Services Leader (02) The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.

Download ppt "Increasing customer value through effective security risk management"

Similar presentations

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,
Driving change in information risk within the financial services industry Subtitle Date.

Driving change in information risk within the financial services industry Subtitle Date.
A clear and compelling business case… …for the individual

A clear and compelling business case… …for the individual
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.

Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.
How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.

How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.

Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.
Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.

Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.
16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.

16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
ADVISORY The business of information security – developing a business case IT ADVISORY.

ADVISORY The business of information security – developing a business case IT ADVISORY.
Security Controls – What Works

Security Controls – What Works
Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey.

Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.

V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.
TRANSACTION SERVICES ADVISORY Romania conference – IPO process Victor Kevehazi, Senior Partner 18 October 2005.

TRANSACTION SERVICES ADVISORY Romania conference – IPO process Victor Kevehazi, Senior Partner 18 October 2005.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Information Technology Audit

Information Technology Audit

Similar presentations

Ads by Google