Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data.

Published byBelinda Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data."— Presentation transcript:

1 Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data

2 Threats Today Include A belief on the part of senior management that there are no serious threats directed at their company. Terrorist acts Natural disasters Criminal Acts Network Attacks –Inside attacks –Outside attacks –Viruses/Malicious

3 The World We Live In Today General Internet attack trends are showing a 64% annual rate of growth. The average company experienced 32 attacks per week over the past 6 months. Two out of five companies that are hit by a disaster go out of business within 5 years. Gartner report indicates that average cost for network downtime is $42,000 per hour. www.securitystats.com

4 Top 10 Management Mistakes Addressing Data Security 10. Believe that information security and disaster recovery are important issues, but believe they are important issues for someone else to handle. 9.Pretend the problem will go away if you simply ignore it.. 8.Rely primarily on a perimeter protection. 7.Fail to realize the value of their information and organizational reputations. 6. Believe that it will never happen to them.

5 10 Top Management Mistakes Addressing Data Security 5. Fail to understand the relationship between information security and disaster recovery and the business. 4. Use technology as a fix and not a solution. 3.Address security as an afterthought i.e.; something we can add later. 2.Look at security as an expense not an investment. 1.Fail to develop a system of Information Classification and establishment of minimum protection requirements for each level of classified data.

6 What Has Been Our Approach? Building Bigger and More Complex Walls

7 We Have Created the M & M Effect

8 Where Do You Begin? You begin by identifying what to protect. If you don’t know what to protect, how do you know how to protect it? Without knowing what to protect you end up either over-protecting or under-protecting your valuable, critical and sensitive information. Neither of which is a “good thing”.

9 engage Companies must engage in sound business and security practices that afford critical and sensitive information adequate protection resulting in an acceptable level of risk against loss, improper use, compromise, unauthorized alteration or modification. Element I

10 Element II Protection programs must be flexible and capable of addressing all information protection needs in the ever changing business and technical environment.

11 Element III Protection programs must be focused on actual threats. Strategies must be developed that are based on sound business practices.

12 Element IV Protection programs must ensure the confidentiality and integrity of critical systems and sensitive information, while ensuring its availability to those who need it to perform their assigned duties and tasks. Element IV

13 Federal Regulation Impact On Security New HIPAA & SEC regulations based on the Gramm- Leach-Bliley Act and Sarbanes-Oxley, require that we adopt policies and procedures reasonably designed to: 1.Insure the security and confidentiality of customer records and information. 2.Protect against any anticipated threat or hazard to the security and integrity of customer records and information. 3.Protect against unauthorized acts as to the use of customer records or information that could result in substantial harm or inconvenience to any customer.

14 Information Security - Key Questions Do you have a system of Information Classification that outlines minimum protection requirements for each level of data? Do you have a network security strategy that addresses a layered approach to protection? Do you know where all sensitive Data resides? Have you identified who can asses the data? Have you identified how to protect the data during transmission? Have you identified how to protect the data stored in your network?

15 Network Protection Strategy A well-conceived network protection strategy should take a layered approach. At a minimum it should include three layers of protection: The Gateway Layer - Answers the question," Can I come in?” The Control Layer - Answers the question “Where can I go?” The Data Layer - Answers the question “What can I do?”

16 Data Protection Strategy Layered Approach Gateway Layer Control Layer Data Layer

17 The Gateway Layer Answers the question “Can I come in?” Allows you to address how access is gained to your networks: Firewalls Intrusion Detection Systems Modems Remote Access such as VPN and ExtraNets User authentication methods

18 Gateway Layer Considerations Do you rely solely on the “password” as your method of authentication to protect critical data and systems. Have you tested your password strength with a password crackers such as “l0pht Crack”? Keep in mind that the Gateway level protection does little to protect against the insider threat.

19 Benefits of Completing The Gateway Layer Eliminates reliance on “passwords” as the only means of protection thus eliminating risk and liabilities. Sets the architectural foundation for future e-business. Provides foundation for secure remote access. Provides your company with the ability to identify and react to all attacks directed at our networks from outside the company.

20 The Control Layer Answers the question, “Where can I go?” Is your security access control program implement a role based security model? Do these roles identify exactly what each employee has and can have access to? Bottom Line: Do you really know who has access to what, and can you control it?

21 Control Layer Considerations Is your Access Control model/and or Strategy based on a business need to know? Have you identified who should and can have your sensitive Data? Have you considered the Implementation of a strategy and tools that will allow you to effectively identify and manage a “Role Based” access control model.

22 Benefits of The Control Layer Provides you with the ability to manage access administration across heterogeneous environments. Allows you to quickly turn-on and turn-off access. Replaces your current traditional “paper trail” of access requests with fast and accurate electronic workflow approach. Provides an audit trail and strong security by consolidating all access information into a single database. Provides you with the means to quickly set up access for new applications implemented by the company.

23 Benefits of The Control Layer Provides an audit trail and strong security by consolidating all access information into a single database. Provides you with the means to quickly set up access for new applications implemented by the company. Takes control of the management of access within your applications and networks. Increase productivity by eliminating all but a single password for the majority of users

24 The Data Layer Answers the question, “What can I do?” Do you have the methodology to identify and restrict the abilities of each user: 1. Can all users read all data? 2. Can all users modify all data? 3. Can all users delete all data? 4. Can you restrict access based on a users role what each can do?

25 Components of the Data Layer Use of strong Passwords to protect data Use of Encryption to protect sensitive data Use of Digital Rights Management PKI as a solution to access control Smart Cards and Tokens to access data

26 Incident Response All Data is Subject to Compromise and Loss! The ability to identify that you are being attacked, containment of the attacker and having the ability to terminate the attackers access can limit the amount of damage that can be caused. These are key elements and are essential in surviving an attack.

27 Remember More Security Doesn’t Always Make You More Secure… Better Planning and Management Does

28 Managing the Risks The world has changed dramatically based on the events of the past few years. We have learned that building more and higher walls by themselves do little in ensuring that critical and sensitive data receives adequate protection. We now must look not only at how we protect our networks but how we protect the actual data. Its All About The Data Remember – Its All About The Data

29 When it comes to addressing our business risks, we never plan to fail. We just fail to plan! Closing Thought

30 Questions? David “Mike” Hager Enterprise Security Advisor Unisys. David.Hager@Unisys.com Remember It’s All About The Data

Download ppt "Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Chapter 12 Network Security.

Chapter 12 Network Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google