1 / 43

Presented by: Peter S. Browne Principal Manager Peter Browne & Associates, LLC

ABA WEBCAST BRIEFING. Foundations of Information Security. Presented by: Peter S. Browne Principal Manager Peter Browne & Associates, LLC. Projected B2B eCommerce Growth. 2004 Predictions. Gartner 7.3 Trillion. Forrester 6.3 Trillion. Goldman 3.2 Trillion. emarketer 2.8 Trillion.

zach
Télécharger la présentation

Presented by: Peter S. Browne Principal Manager Peter Browne & Associates, LLC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ABA WEBCAST BRIEFING Foundations of Information Security Presented by: Peter S. Browne Principal Manager Peter Browne & Associates, LLC

  2. Projected B2B eCommerce Growth 2004 Predictions Gartner7.3 Trillion Forrester6.3 Trillion Goldman3.2 Trillion emarketer2.8 Trillion Ovum1.4 Trillion

  3. Internet Users Worldwide Source: IDC

  4. Risk Management In Perspective - Drivers • New Technologies • Web presence • Online transactions • Delivery of professional services via the Internet • New Risks • Cyber-extortion • Network security breaches • Litigation • Loss of “intangible” information • Dependence on third party service providers

  5. The Problem • 85% of Companies report at least one Computer Security Breaches last year • 90% report Vandalism attacks • 78% report Denial of Service attacks • 64% Acknowledged financial losses due to these attacks • Average loss: $2,000,000 • Melissa = $80 million total • Denial of Service (Mafia Boy) = $1.2 billion • Love Bug - $10 billion Statistical data provided by CSI/FBI 2001 report

  6. The Computer Attack Risks • Loss or damage to Data • Legal Liability to Others • Loss or damage to Reputation • Loss of Market capitalization and resulting Shareholder lawsuits

  7. Foundations • Managing risk includes the following components: • Accept • Mitigate • Transfer a portion of the risk to an insurance underwriter

  8. Traditional Commerce Centralized systems in glass house Economy of scale Managed risk Security says NO Electronic Commerce Distributed systems everywhere Economy of dispersion Distributed risk Security is an enabler Electronic Commerce: A Paradigm Shift

  9. Business Drivers for Security • The effect of the Internet on banking and financial services • Movement from information “silos” to information integration • Holistic view of risk management • Increasing global regulatory oversight • Effect of GLBA • Increasingly proactive regulatory agencies and audits • More pervasive and complex technologies

  10. The Four Foundations of Protection • People • Board and management commitment, dedicated technical personnel, crisis management team all in place and active! • Process • Enterprise ISO7799 ready, on-going management, employee education and regular training, patch management. • Technology • Monitoring/log review, DMZ zones, firewall, anti-virus software, intrusion detection systems, remote access two factor authentication, audit trails.

  11. The Overriding Objective Security should be at the table whenever the technology or the business strategy changes, whether the technology is managed in-house or it is outsourced to third parties

  12. People Success Factors • Set up the right organization

  13. Organizational Placement of IT Security • Report separately from IT (Audit, Security, Legal, Finance) • Report directly to CIO/Head of Technology • Report into CTO/Operations • Part time function • Split function

  14. Roles and Responsibilities • Set policy/standards/guidance • Act as internal consultant • Perform system/security operations • Provide oversight over outsourced/third party technology providers • Conduct/manage assessments and audits

  15. Ownership • What to centralize: • Policy, standards, guidance • Test and validation of security • Cross-enterprise coordination • System-wide administration • What to decentralize: • Accountability • Risk acceptance • User access administration

  16. People Success Factors • Set up the right organization • Get good people and train them adequately

  17. Security Must Add Value • Facilitate, don’t obfuscate • Be a perpetual student • Provide solutions to business needs • Communicate, communicate, communicate • Be an agent of change • Focus on operational excellence • Treat risk as part of the business equation • Clearly articulate what is expected

  18. What Is the Scope? • Make security enterprise-wide… and coordinated with all business units • Focus early in the product/software life cycle • Enlist allies: • Business units • Legal • Operations • Risk management • Earn your budget!

  19. Preach Security Awareness • Educated management • Understand risk • To the enterprise • To the given business • To the individual • Application of security standards • In the software development life cycle • In the management of platforms

  20. People Success Factors • Set up the right organization • Get the good people and train them adequately • Get management commitment

  21. Probability of Occurrence 0 Value of Fraud Articulate Risk in Business Terms • Value of the asset • Probability of a loss • Likely cost over time

  22. Control Analogy: ATM versus Internet ATM Yes Yes Yes Yes Yes Yes Yes Yes Yes Internet No No No Maybe Maybe No No Maybe Maybe Known and limited number of customer entry points Two-factor authentication required (card plus PIN) Camera recording all activity Limited amount of cash available for withdrawal Full audit trail of all activity Physical limits to bulk fraud Customer cannot stop an initiated transaction Settlement and problem resolution processes in place Customer has receipt to verify transaction

  23. Management Involvement • Top-level steering committee • Task force • Advisory board • Reporting key performance indicators • Reporting incidents • Compliance checking

  24. Process Success Factors • Put policy and standards in place

  25. Ensure compliance with standards Implement guidelines on systems Translate standards into security guidelines Develop and document "baseline" security standard Update policies Assess current security state Security Life Cycle Steps

  26. Policy Standards Guidelines Procedures Practice Top-level Policy • Broad statement of intent • Sets the expectations for compliance • Must acknowledge individual accountability • Culture-dependent • Must cover appropriate use • Must be enforced

  27. Standards Policy Guidelines Procedures Practice Standards • Describe what to do, not how to do it • Explain the application of policy • Cover all elements of information security • Use existing models (I4 & ISF) • Provide the cornerstone for compliance

  28. Guidelines • Tell how to meet standards • Are platform- or technology-specific • Provide examples and configuration recommendations • Must be kept up to date Policy Guidelines Standards Procedures Practice

  29. Process Success Factors • Put policy and standards in place • Build a robust program

  30. Desired State of Security • Desired state of security: The level of security controls needs to correspond to the value/sensitivity of the underlying information asset: “risk-based” • Security must: • Be incorporated into the development process • Be part of the overall architecture • Be part of the project management and implementation process • Be part of system administrators’ and network planners’ job function • Keep current with technologies because they evolve rapidly. What worked yesterday may not be valuable today (digital certificates, application proxy firewalls, biometrics, IDS)

  31. Process Success Factors • Put policy and standards in place • Build a robust program • Track metrics for accountability

  32. Platform Compliance

  33. Security Awareness

  34. Operational Statistics

  35. Technology Success Factors • Protect the perimeter

  36. Perimeter Control • Firewall technology in place to protect • Concept of a DMZ • Intrusion Detection • Network based • Host based • Standardized system configuration

  37. Hosts(systemof record) Middleware Call Center AOL Web Servers Tandem Internet Third Party ATM Nets Kiosks Vendors VRU Middleware Home Phone PFM Network PFM Bank Systems Vendors

  38. Technology Success Factors • Protect the perimeter • Provide consistent security services

  39. Consistent Security Services • Remote access authentication and authorization • Remote dial in access • Internet access • Business to business links • System management • Lockdown of access • File protection • Security patches

  40. Technology Success Factors • Protect the perimeter • Provide consistent security services • Capture audit data

  41. Audit Trails • What to capture • All access to systems • All intrusion attempts • Financial transactions • Access to sensitive data • Uses • Digital forensics • Monitoring of security • Improving performance

  42. Information Security as the Foundation for Electronic Commerce • The people are the critical components, but they must be supported by management and trained • The process starts with the policy, and concludes with implementation • The technology must be put in place to manage and enforce security • Management commitment is not difficult… if • Metrics: If you can’t measure it, you can’t control it • Information security bridges the business and the technology

  43. The Future In the future, there’ll be just two kinds of banks —the ones on the Internet and the ones who never saw it coming.

More Related