Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated...

transcript

Carolyn Burke, MA, CISSP, CISM

CEO, Integrity Incorporated

Mitigate Risk

March 23, 2004, 2pm

Things we should go over Background Information

Identifying Risks

Relationship between Privacy & Security

What Causes Security & Privacy Risks

Using a Risk Management Approach

Risk and Vulnerability Assessment

Protecting Privacy & Security

Security & Privacy Management Capabilities Maturity Model

Case Study!

But first, how mature do you think you are?

• From 1 to 5, rate yourself:• on policy, process & procedures • on privacy & security• on technology

Identifying Risks What is at Risk?

Assets of the organization include– Secrets

– $$

– Time, effort

– People

What else is at Risk?

– Public trust in the organization• PR risk

• May impede ability of the organization to operate effectively

– Operational capabilities of the organization• Can be disrupted by unauthorized system modifications

• Can be disrupted by Denial of Service and Distributed Denial of Service attacks

And still more

– Your clients• Privacy of clients’ personal information

• Legally protected (legislation)

• Contractually protected (policy, contract)

• What information must be protected?

– Accuracy of clients’ personal information• Legal requirements

• Operational necessity

Identifying Risks

integrity availability

confidentiality

I Asecurity

The Relationship between Privacy & Security

•Technical vulnerabilities•Fraud•Operational issues•The bad guys

Technical vulnerabilities• Technical faults

• Software bugs, incorrect documentation

• Misconfiguration – software, servers, firewalls / security systems, routers

– various other network elements

• Hardware failure– lack of redundancy

– poor maintenance schedule

More technical vulnerabilities

• Poor technical architecture• Lack of

– appropriate perimeter defenses

– intrusion detection systems

– adequate access controls

– adequate authentication systems

– adequate authorization controls

• Intentional misrepresentation• By clients

• By staff

• By company executives

• External parties misrepresenting the company

– Insufficient checks & balances • peer review

• periodic internal review

• external audit

– Human error

– Faulty procedures

– Undocumented or missing procedures

– Lack of standardization

Operational issues

Do you have: a security awareness program a readable security policy an incident response plan

– Lack of a clear policy framework

– Poor real-time handling of security incidents

– Lack of privacy awareness among all staff

– Lack of security awareness among all staff

– Extreme shortage of security skills among IT staff

More operational issues

Do you have: a business continuity plan a disaster recovery plan a backup and recovery system

Bad guys

– Amateur hackers– Well-intentioned researchers– Malicious professionals– Financially motivated professionals (your loss,

their gain)

What high-level approach does your organization use today to address security & privacy issues?

• How effective is it?

The Risk Management Approach to Security &

Privacy Strategy

You can’t eliminate 100% of risks…

The Risk Management Approach to Security &

Privacy Strategy

… but you can develop a risk management framework

which...

– takes a strategic approach– provides a disciplined cost-benefit framework– establishes clear high-level policies to guide

tactical decision-making– provides detailed processes & procedures

A Risk Management Framework

– specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks

– sets technical standards– justifies security & privacy expenditures on

both an economic & a legislative basis

A Risk Management Framework

Driven by risk analysis– Types of risks X Probabilities of risk X Costs of losses

– Types of risk mitigation - impact on probabilities and losses

High-level security & privacy mandate - policies!Accountability in all risk-related activitiesSuccess factors

– Continuous Improvement

– Dynamic response to new threats

The Risk Management Approach: Key Components

Continuous Security Framework

Okay, this is for the CSO.

controlflow of knowledge

verific

Metrics & Continuous Improvement

The Risk Management Approach

to Security & Privacy StrategyMap out the high-level steps your

organization needs to take to use a risk-management approach to privacy and security.

Risk vs. VulnerabilityRisk is economic & legal

Vulnerability is technical & procedural

Quantifying risk

Economic Risk ($) =

Types of risks Probabilities of risk (%) Costs of losses ($)

Assessing vulnerability

– Technical• Attack & Penetration Testing

• Network Security Review

– Procedural• Privacy Impact Assessment

• Policy Audit

• Processes & Procedures Audit

Estimate the outcomes which would result if your organization were to undergo:– A thorough Attack & Penetration test?

– A thorough Network Security Review?

– A thorough Privacy Policies Audit?

– A thorough Operational Security (Processes & Procedures) Audit?

Technology solutions Procedural solutions

Technology solutions

– Firewalls privacy, integrity, authentication– Encryption privacy

• Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.

– Passwords authentication• Risks: reusable passwords, plaintext protocols

– Tokens authentication– Certificates authentication– Intrusion Detection Systems / IDS

integrity, privacy

– Digital signatures integrity, authentication, non-repudiation

– PKI privacy, authentication, integrity, non-repudiation

– PMI authorization, privacy, authentication, integrity

Procedural solutions

– “Need to know” (principle of least privilege) privacy

– Change controls privacy, authentication, integrity, non-repudiation

Procedural solutions

– Audit processes increased assurance re. all factors

– Technical standardization privacy, authentication, integrity, non-repudiation

• What are the primary methods (procedural / technological) used by your organization to:– Protect privacy

– Perform authentication

– Ensure non-repudiation for online transactions

– Maintain data and systems integrity

Security & Privacy Management Capabilities

Maturity Model (TM)

– Measuring success using a baseline• Proprietary, standardized

• Based on CERT’s Systems Security Engineering Capability Maturity Model

– Provides maturity metrics on high-level organizational security and privacy capabilities

Maturity Model (TM)

– Organization handles Security & Privacy issues informally

– Organization does not have documented Security & Privacy policies

SPM-CMM(TM) Level 1

– Organization has documented Security & Privacy policies

– Organization has assigned resources to plan Security & Privacy initiatives

– Effective training programs re. Security & Privacy

– Organization has effective processes to verify compliance with Security & Privacy policies

SPM-CMM(TM) Level 2

– Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards)

– Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements

SPM-CMM(TM) Level 3

– Organization has measurable, quantitative Security & Privacy goals

– Organization tracks objective performance relative to Security & Privacy goals

– Strong individual accountability

SPM-CMM(TM) Level 4

– Organization has an effective Continuous Improvement program for Security & Privacy

– Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback

SPM-CMM(TM) Level 5

Maturity Model (TM)

• Important considerations:

– What is the impact of moving to the next maturity level?

– What changes to technologies, processes, and policy would you need to make?

Maturity Model (TM)

Long-Distance Health Care / Privacy

•Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs

•Cost effective communication required - a private network using internet technologies

•Maintain privacy - information shared between organizations, across borders

•Security technology, policy reviews

•Privacy policies of all organizations amalgamated

•Most stringent policy had to apply to all to ensure that all policies were met

SPM-CMM(TM) Level 1 Level 2

Results

• Policy review for all organizations

• Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy

• Training to properly handle exchange of information - varying legislative jurisdictions

Services

• Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training

Where do you rank your organization on the SPM-

CMM(TM)?

For security? For privacy? Overall?

Thank you!!!!

www.integrityincorporated.com/subscribe.aspx

Mitigate Risk

March 23, 2004, 2pm

Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated...

Documents