180 likes | 340 Vues
Defending the Digital Frontier An Overview Mark W. Doll Americas Director, Digital Security Services Ernst & Young LLP. Rudy Giuliani’s call to action.
E N D
Defending the Digital FrontierAn OverviewMark W. DollAmericas Director, Digital Security ServicesErnst & Young LLP
Rudy Giuliani’s call to action The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream, business-critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
Additional legislative requirements California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been,acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier. The Security Frontier High ProductivityImprovement/Increased Risk Reliance on ITImpact of Failure Low 1970s 1980s 1990s 2000s Low High IT UsageProbability of Failure
Caught up in the pursuit of productivity improvements, management apparently overlooked security. The Digital Security Gap High Total IT Spending DigitalSecurityGap TotalSpending Low Total Security Spending 1990’s Time 2000’s
BusinessObjectives 1) Aligned digital security The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives. DigitalAssets The distance between the top levels of management and the security team is known as the Security Management Gap. Aligned Information Technology Organization 79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation and follow-through cycle for their information security policies was not being carried out completely. DigitalSecurity
2) Enterprise-wide digital security A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization. Corporate 86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
3) Continuous digital security Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities. Not occasionally. Not periodically. Continuously. 46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
4) Proactive digital security The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally. Periodic Assessment Ongoing Monitoring Initial Assessment Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities High Proactive RiskIntelligence Traditional Low Time
5) Validated digital security 3rd Party Achieving highly effective digital security requires third-party validation of critical security components and business objectives. Validated Peer Tested Self Deployed To a Unit To a Standard To a Business Objective 66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria or other recognized models. Rigor of Validation
6) Formal digital security Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. Documented Formal Highly Documented Situational Experienced-based Minimally Minimally Highly Confirmed 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
Executive management must understand • Scenario-based simulations: Table-top exercises • The organization’s response • Critical roles and responsibilities • Action plans to minimize the effect of an incident • Monitor and test responses
Model and define riskEstablish consistent threat categories CategoryLevel Dept. of HomelandSecurity Risk Digital Impact/Risk HomelandLevel Risk toCustomer Segment 5 Severe Red Risk to MultipleCustomers 4 High Orange Chronic or Seriesof Inefficiencies 3 Elevated Yellow Core Process orSystem Shutdown 2 Guarded Blue TacticalInefficiencies 1 Low Green
The fulcrum of control • The ability to control & contain digital security incidents is the key to success • Management must determine this tipping point or fulcrum and use it to drive their focus High ImmediateAction Fulcrum of Control 5 4 Impact of Occurrence 3 ROIDecision 2 1 Low Low High Frequency of Occurrence
Manage risk for a competitive advantage • Maintaining digital availability when your competitors in your industry fail is critical for most companies’ long-term success High 5 4 Impact of Occurrence 3 Company A Industry 2 1 Low Low Frequency of Occurrence High
Highly effective security cultures: • are chief executive-driven • maintain a heightened sense of awareness • utilize a digital security guidance council • establish timetables for success and monitor progress • drive an enterprise-wide approach The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.
For more information… Mark Doll Americas Director, Digital Security Services Ernst & Young LLP 212-773-1265 Or Web site: ey.com/security Security Info-line: 888-706-2600