270 likes | 419 Vues
Welcome To Presentation on Holistic Information Security Management. Achieving Operational Excellence in Information Security Management . Agenda. Part 1 Why we need security on operational basis- because current models are failing us Part 2
E N D
Welcome To Presentation on Holistic Information Security Management
Achieving Operational Excellence in Information Security Management
Agenda • Part 1 • Why we need security on operational basis- because current models are failing us • Part 2 • What does operational security entail- the new model of security management • Part 3 • How as full service managed security provider, we can assist you to set up and manage security on operational basis
We cannot afford security breaches today • Today attacks are getting more financially motivated and with internal complicity • Consequently, the financial losses are rising • For breaches with proprietary/ customer data loss, the average cost is US $ 4.2 million (Data Breach survey 2009)
We cannot afford security breaches today 2. Growing consensus in International community on downstream liability • You are liable for attacks launched off of your machines and networks. You can be sued if your security weakness allowed someone to launch an attack via your server or network upon a third party.
We cannot afford security breaches today 3. Customers, regulators and markets have become more demanding and punishing • Over 2.5% of customers move out after disclosure of security incidents affecting them. Additionally, 40% of potential customers have apprehensions of opening business with the provider (Ponemon Institute) • Regulations like SOX, Data Protection Act, Privacy rules create legal as well as personal liability. • Share prices drop from 0.63% to 2.10% in value when a major breach is reported (Emory university survey)
Investments in risk management are high. 16.9% 11.8% 9.9%
Credit Card Breach Exposes 40 Million AccountsBank Of America Loses A Million Customer RecordsPentagon Hacker Compromises Personal DataOnline Attack Puts 1.4 Million Records At RiskHacker Faces Extradition Over 'Biggest Military Computer Hack Of All Time'Laptop Theft Puts Data Of 98,000 At RiskMedical Group: Data On 185,000 People StolenHackers Grab LexisNexis Info on 32000 PeopleChoicePoint Data Theft Widens To 145,000 PeoplePIN Scandal 'Worst Hack Ever'; Citibank Only The StartID Theft Hit 3.6 Million In U.S.Georgia Authority Hack Exposes Confidential Information of 570,000 Members Scammers Access Data On 35,000 CaliforniansPayroll Firm Pulls Web Services Citing Data LeakHacker Steals Online Shoppers' Personal InformationUndisclosed Number of Verizon Employees at Risk of Identity Theft Credit Card Breach Exposes 40 Million AccountsBank Of America Loses A Million Customer RecordsMitsui Bank Hacker Compromises Personal DataOnline Attack Puts 1.4 Million Records At RiskHacker Faces Extradition Over 'Biggest Computer Hack Of All Time'Laptop Theft Puts Data Of 98,000 At RiskWachovia Bank: Data On 185,000 Customers StolenHackers Grab LexisNexis Info on 32000 People Yet, Security Breaches Are Only Rising…
July, 2005 Banks hit by wave of hacking attacks “… atleast two banks – NBD and Mashreqbank suspended some of its online banking services citing the threat of banking attacks….” June, 2006 HSBC customers hit by Phishing attack “Internet users in the UAE are being warned to be on their guard following a massive phishing scam targeting HSBC customers…” May, 2006 ATM fraud forces banks to issue fresh cards to 1,100 customers “Emirates Bank & Standard Chartered …” December, 2005 Senior official manipulates systems for financial fraud “A senior official has been charged with manipulation of ERP application…” Breaches are spreading in Middle East also…
Credit Card Breach Exposes 40 Million AccountsBank Of America Loses A Million Customer RecordsPentagon Hacker Compromises Personal DataOnline Attack Puts 1.4 Million Records At RiskHacker Faces Extradition Over 'Biggest Military Computer Hack Of All Time'Laptop Theft Puts Data Of 98,000 At RiskMedical Group: Data On 185,000 People StolenHackers Grab LexisNexis Info on 32000 PeopleChoicePoint Data Theft Widens To 145,000 PeoplePIN Scandal 'Worst Hack Ever'; Citibank Only The StartID Theft Hit 3.6 Million In U.S.Georgia Technology Authority Hack Exposes Confidential Information of 570,000 Members Scammers Access Data On 35,000 CaliforniansPayroll Firm Pulls Web Services Citing Data LeakHacker Steals Air Force Officers' Personal InformationUndisclosed Number of Verizon Employees at Risk of Identity Theft Clearly, Current Models are Failing Us.. Nearly 9 out of 10 businesses have suffered some form of security breach. (CSI/FBI survey)Worldwide, 51% of organizations faced some form of security failure last year (PC Mag)
Current Model • Underlying Problem • Security is not a one-time project with a beginning and an end. • It requires continuous improvement comprising planning, executing, checking, and then taking further action. • Achieving a particular state of security is no guarantee that it can be sustained.
What we need now is new model for operational excellence- Holistic Continuous Integrated Business Focused
Business focus Desired Focus Current Focus • Service interruption • Customer privacy • Business integrity • Financial loss • Regulatory compliance • Firewalls • Intrusion detection • Viruses, worms • Patch management • Encryption Technology problem Business problem
Continual Risk Aware System Point in Time Assessments We require a new model that… To Continual Risk Aware System From Point in time Assessments
Continual Risk Aware System Point in Time Assessments Continual Mitigation System Policy & Products We require a new model that… To Continual Mitigation System From Policy & Products
Continual Mitigation System Policy & Products Continual Threat, Vulnerability & Identity Management Security Administration We require a new model that… To Continual Threat, Vulnerability and Identity Management From Security Administration Continual Risk Aware System Point in Time Assessments
Continual Mitigation System Policy & Products Continual Threat, Vulnerability & Identity Management Security Administration We require a new model that… To Channels, Business And Process Risks From IT Assets Continual Risk Aware System Point in Time Assessments
Need for SOC • IT systems have security weaknesses (Vulnerabilities) • These weaknesses may be used for system compromise (Threats) • In ideal scenario, security can be achieved if • All vulnerabilities are removed at all times • Or all threats are blocked at all times • In practice, vulnerabilities and threats can be protected to degrees. For continuous security, it is essential to manage both • Increasing vulnerabilities and threats require robust security operations • Setup a Security Operations Center (SOC) to integrate multiple security functions and continuously manage operations
Threat Management Vulnerability Management Security Operations Center (SOC) Access Management SOC Components Automation & Integration of Security Operations
SOC Benefits • 24X7X365 management of security • Proactive approach to security including early detection & mitigation of vulnerabilities and threats • Integration of multiple security processes, heterogeneous platforms for higher efficiencies & effectiveness • Centralized security operations resulting in better control and visibility • Holistic approach to security as against piecemeal approach
Thank You Thank You epourmand@remisco.com