1 / 54

Information Security Management From Information Management to Knowledge Management

Information Security Management From Information Management to Knowledge Management. The Challenges for Organizations Operating in Complex, Abstract, and Risky Environments Or are you going to be A Jester or Road Kill ? Or a better title What is the cost of your ignorance ?.

adsila
Télécharger la présentation

Information Security Management From Information Management to Knowledge Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Management From Information Management to Knowledge Management The Challenges for Organizations Operating in Complex, Abstract, and Risky Environments Or are you going to be A Jester or Road Kill ? Or a better title What is the cost of your ignorance ?

  2. On the road again Outline Focus will be on Information Requirements for Information Security as it pertains to : Awareness, Governance and Management issues Show: Governance structures that need to be present for an organizations to adapt to new threats Themes: that will be touched on during our “travels” • Organization as habitat • Risk as life style • Technology as enabler Closure

  3. System of Beliefs and Information Technology Frank Gehry Guggenheim Museum Bilbao, at Bilbao, Spain, 1997. Mies Van Der Rohe Seagram Building, at New York, New York, 1954 to 1958.

  4. The “ Chief Information Security Officer Dilemma ”:Sometimes it is a communication issue…

  5. Consequence A: Information Security as The Jester • Nice to have around • Sees a lot more than he says • Can tell the king he has no clothes • Can tell the king he really is ugly • Does not get killed by the king

  6. Consequence B: Information Security as Road Kill • Did not read the signs • Changes happened faster that he was able to move • Good intentions went unfulfilled • End up be part of some one’s meal • A brutal way to ending a promising career

  7. Arguments For Getting Funding for Information Security as indication of Levels of Maturity • Fear, Uncertainty and Despair: “The Hackers, virus, will get us unless..” • The Heard Mentality: “The king needs Taxes”… • The Analytical ROI ? “Investments in IDS is better than”… The argument that has yet to come: The Aware and Agile: The “intelligent” organization “One that is a node in the network”

  8. Organizations are a collection of Open Systemsand Decisions MachinesManaging the Infra structure and Info structurein order to preserve trust and truth

  9. In your organization, where are the natural selection pressures? Open systems evolve, Close systems die Phenotypic variations in the natural world are not just different ways of appearing, they are different ways of being. When and How do organizations move into phase transition, to transform themselves: ie moving from infrastructure management to infostructure management

  10. The Borderless Value-Chain

  11. The Evolution of Data/information/ Knowledge structures : Organizations as decision machines Ghost in the machine.. Timely Compression = Value wisdom METAPHYSICS beliefs, expectations, ideals, cultures.... PRAGMATICS intentions, communications, reactions, negotiations.... knowledge SEMANTICS meaning, propositions, validity, denotation.... Machine enabled SYNTACTICS formal structure, language, logic, files, records.... information EMPIRICS pattern, capacity, noise, signal.... data PHYSICAL traces, mass, speed, density.. Communication of the ACM Feb 2003

  12. Ubiquitous Trusted Affective Social Advisory Always on The New Ecology of Computing Client Server Main Frame Mobile and Peer to Peer organization individuals focus

  13. Value Based Management Privacy - Security Change in Infra-structure Change in the Nature of Work Trust and Truth Change in Info-structure Changes the Nature of Risk Key Performance Indicators: Revenue, Profitability, Cash flow, Value creation Risk as Profit : Preserving Trust and Truth

  14. Present realities of the Infrastructure • It’s the technology side of IT • It is part of the value chain • It is becoming a “utility” structure • It offers access • The infrastructure does not create information • Change in the infrastructure can offer new opportunities for the management of information.

  15. Present Challenges at the Info-structure level • Creates an Ecology of information • Permits new levels of interactivity • The products of the info structure need to be managed like any other resources IAW a life-cycle. • How does one do Wealth creation at the info structure level ? • What are the sufficient and necessary control mechanisms ?

  16. The Nature of Organizational Work Works in an “abstract system” characterized by: • Rise of information worker and knowledge management • The knowledge manager work is all about “sense making” and “decision making” • Community of practices goes beyond organizational boundaries • Sharing information in a responsible manner becomes the most difficult problem

  17. The Nature of Information Risk Management • Malcode – The rise of the “all in one” • Adoption of Information Security and Risks Management Maturity Framework • ISO 17799 – ITIL – Cobit • Focus of Information Security Management Principles: • Defense in Depth • Lines Of Business own the risk • Residual risk accumulates • No sanctuary • But no common Information Classification framework – this hampers the information sharing

  18. Managing the Infra-structure ChallengesProtecting the trust in the systems themselves

  19. Out there :The world is a harsh place • The total number of new, documented vulnerabilities in 2002 was 2,534 - 81.5% higher than in 2001 • New blended threats • Slammer had a $1 billion impact • ISM lost a $200 hard drive with a list of 1 million clients • There is a war going on…

  20. Today’ s activity – network pollution

  21. Slammer – 30 minutes later

  22. The Challenge of port 80

  23. An Ecological Approach to Risk Mapping Environment priorities compliance reviews resources Tech Residual Risks + The market Drivers standards + + + - + audit - - Technical Risk =  Governance bodies Inet, Ipt, ARB, etc + Education awareness The information infrastructure - + outsourcing projects Tech Residual Risks practices + - - + Risk mangt - Active Information Security Strategy threats Network Security Council Lob RISK officers - - - laws IPC RCSA New Technology Capital At Risk - Data Classif Identity mangt Alerts Certificates - Vulnerability Analysis Access mangt Crypto policy escalations

  24. Certification Clients/Users Opt-in and opt out issues Non-Repudiation Encryption Object Integrity infostructure Business Applications Access Management User Authentication Control and Authorization infrastructure Operational Support Perimeter Protection System Protection Network Protection A Hierarchy of Controls Structures Privacy Security

  25. Managing information security risks in context of all the others.

  26. Risk/ Money Information Security Life Cycle Risk Management Information Security provides services across the entire technology life-cycle with the objective of lowering the Operational Risk for the Bank. Bus. Req. Design Development Implementation Operations Time - (1-3) years -(6-12) months Now Operational Services Strategic Services* Tactical Services* • IPC • Alerts • Vulnerability Analysis • Anti-virus management • Intrusion detection • ISO • Access management • PIN-pad services (branch & POS) • Encryption and Key management • Digital Certificates / PKI / Smart cards • Remote dial access management • INDUSTRY COORDINATION • GOVERNANCE • Policies • Operational Directive, ISM • Guidelines & Best practices • Awareness & Communication • Training & Education • Environmental scans • Research • SECURITY PRACTICES & TECHNOLOGY • Design reviews • IS issues identification & tracking • Security solutions • Due care process • Tests & Certification • Technology insertion • Info Line *) Services not mapped to Org Chart

  27. Reduction of Technical Risks • New metrics for Information Security: • Cycle times • Analytic time • Costs for Data Fusion • Business goals and metrics Effect of Risk reduction

  28. Active security posture - VA results CWAN Capital Markets Nesbitt Burns

  29. Link Analysis

  30. 700 600 500 400 300 200 100 Software Currency Analysis In Q1 there were three world-wide security problems identified in the industry: 1) SQL Slammer worm, 2) Sendmail vulnerability, and 3) IIS web server vulnerability. The joint response of IS and system administrators has prevented any significant losses at BMO. However, the response time to these incidents is considered relatively slow, and points to the need to strengthen software currency processes, including: software asset inventory, image management, VA, training, etc. Number of servers affected Total = 618 servers. Initially only 66 confirmed OK Numbers confirmed by VA process Numbers estimates by IPC 552 Total = 479 servers. Initially only 3 confirmed OK 476 Total = 399 servers. Initially only 9 confirmed OK IIS Sendmail Slammer 390 367 282 3-4 weeks 3-6 weeks 6-8 weeks 54 26 ? ? ? January 2003 February March April May

  31. Information Security is a knowledge transfer process The Knowledge Transfer Cycle Information Security High ISO -17799 Role base identity Access management SEI - CMM Organizational Complexity/Capability Real Time Response Intrusion Detection Monitoring ITIL Vulnerability Analysis Virtual Private Networks Firewalls Technical Threats Virus Scanners Low Passive Real time Information Protection Focus

  32. The Critical Success Factors in Sharing “knowledge and wisdom” • Ontologies of threats • Data and Information Classification framework • Technology support • Analytical and Experiential Training

  33. Black Hat conference

  34. The .net Opportunity/Challenge dilemma The killer app: Integration The Value Chain

  35. The People Factor: From awareness to actions Clients proactive practices IS Training Direct Influence by IS personnel. New Employees Orientation Experts (Info Security) Specialized knowledge IS Courses Seminars & Conferences CISSP Certification End-Users Awareness of Risks Accountabilities Secure behaviors IS presence & services Supplier of choice IS Education Practitioners Train other technical resources IS Process Hardening IDS, etc IS Awareness Influence, using Corp. Communications. Enterprise-wide scope

  36. The new homework (in addition to the old)

  37. Application Level Assurances Packet Level Integrity Integrated Business Systems • Integrated Network View • Consistent Policies • Tiered Administration • Remote monitoring and management Closed Business systems • Accessible API • Many Users • Multiple connection • Cross organization access • Closed API • Limited to # of User • Single Admin • Simple Provisioning • XML Based • Application Control • Content Aware • Higher value • Node Based • Heterogeneous • Island of security • Under-maintained • IP level • Protocol aware • Perimeter based Managed Security Services Perimeter Control Strategic Evolution of Information Security Target Security Model Present Security Model

  38. The Info-structure ChallengesPreserving the truthfulness of the information assetsFocus is on leveraging the content

  39. Knowledge Data Knowledge assets and structure of diffusion What to share ? Create Knowledge Buy Knowledge

  40. The Problem Space Increase of data growth has far outpaced our ability to analyze, interpret, understand, visualize, and make sense of our data

  41. The Fact Gap 12 Billions of Decisions FACT GAP 11 Available Business Data 10 9 8 Critical Decisions per Week 7 6 5 4 3 Available Analytic Personnel 2 1 1999 2000 2001 2002 2003

  42. Digital Rights Management Process EContent Policies Architecture Peer to Peer Groupware Outcomes Quality Of Service Technology XML Topic Maps RDF UDDI I12G Ontologies Value Domains Finance HR Clients Vendors Products Status Finance Power Utilities Government Hospitals Taxonomies “classification” Data Quality Information Life cycle Knowledge ROI on Intellectual capital Privacy Security “Ilities” Organizations Business Applications The Semantic Structures in the information ecology

  43. Transaction Operational Demographic Lifestyle Financial Economic Government Third party Turning Data into Strategy Data Discovery Action Strategy • Strategic Performance Management • Personalized communication • Product/Service bundling • Risk/Security Planning • Improved payment programs • Pricing strategies • Capital/Resource Management • Customer segmentation • Demand and forecasting • Risk Analysis • Fraud Detection • Product and customer profitability • Payment patterns and profiles • Effective and efficient Business Strategies • Cost reductions • Customer measurement • Return on investment • Increased customer LTV • Increased security

  44. Strategic Semantic Information Management Initiatives

  45. Constructing New Knowledge reference to WhiszBang and Ramona

  46. Semantic Nets Search Engines

  47. On line access to VLDB

  48. Tracking Money flows across time and space Linking the virtual flows With the physical flows

More Related