Information Protection

transcript

Orlando Moreno, PMPVP of OPERATIONS

omoreno@hotmail.com 408.656.2498

Information ProtectionEffectively Building a Security Architecture

omoreno@hotmail.com 2

Security Threats Are Growing

Security Incidents Reported to CERT

10,000

20,000

30,000

40,000

50,000

60,000

# of incidents

2001: 52,000+ incidents(Code Red, Nimda)

Computer Emergency Response Team (CERT) is a federally funded research and development center specializing in Internet security operated by Carnegie Mellon University.

‘88 ‘89 ‘90 ‘91 ‘92 ‘93 ‘94 ‘95 ‘96 ‘97 ‘98 ‘99 ‘00 ‘01

1988: 6 incidents

(Morris Worm)

The Past Year — Shaping InfoSec

Code Red, Nimda,

Slammer

September 11th

WorldCom, Enron Legal, Regulatory

We’re Vulnerable

Significant Threats

Increased Oversight

The Past Year

Lessons Learned …– We’re vulnerable

– Security is everyone’s responsibility

– Security threats & risks are evolving

– Security is a process not a product

Where We Are Going …– Accountability: Organizational, Vendor, Individual

– Integrated/Distributed Security: OpSys, Apps & Network

– Process Oriented: Managed with Metrics

– Standards & Regulations: Compliance

Security — Business Perspective

WallStreet

BusinessPartners

Cyber War

Competitors Privacy

Consumers

RegulationsInformationProtection

Insurance

Legal LegalInsuranceInsurance

Legal RegulationsRegulations

Insurance Consumers

Consumers

Regulations

Privacy

Consumers

Competitors

Competitors Privacy

Cyber War

Competitors

BusinessPartners

Cyber War

WallStreet

BusinessPartners

Similar & Different Perspectives

Privacy

Data Protection

Liability

Regulation

Due Diligence

Standards

Technology

Security — Technical Perspective

Home Network

ApplicationsDesktops

DBsRemote Offices

Business Partners

Competitor

Consumers

Supply Chains

Development Chains

Demand Chains

Business View of Security

Risks vary in potential and impact on business processes

Manufacturing

How Am I Doing?

Information Sharing

InformationSecurity

Civilian Government

Defense/Intelligence

Financial Services

Health Care

Energy

Utilities Communications

Process View of Security

1. People: Everyone has a role in information security.

2. Architecture: Aligns security with business, sets management expectations.

3. Awareness: For expectations to be adhered to they have to be communicated.

4. Technologies: Security is enforced through selection of products that support the architecture requirements.

Architecture

People

Awareness

Technologies

Security Considerations

Authentication– Is the requester who they claim to be?

Authorization– Are they allowed to do what they are asking to do?

Audit/Accountability– How do we hold them responsible for their actions?

Confidentiality– How do we keep requests and responses secret?

Integrity– How do we know messages are not changed in transit?

Administration– How do we manage the data for all this?

Building a Security Architecture

WANConnections

Business Unit

Perimeter

RemoteExternal Users/Sites

Developing the Security Architecture

Security Architecture

Requirements

Business Needs

Regulations

Legal Issues

Business Partners

The Purpose of a Security Architecture

Understand business requirements– Legal, regulatory, business partner

Discussion of where you are and where you are going– 5 year plan — What will security look like tomorrow?

Define standards and principles – Architecture standards = Regulations, international standards– Technology standards = communication, desktop, server– Operational standards = Range of options

Establish Policy– Defines appropriate behavior

Provides metrics for measurement– What is to measured and how

Gives technical instruction– Topology, technical descriptions, techniques

Risk Management

Pervasive Principles

Broad Functional Principles

Detailed Principles

Regulations & Legislation

Business Risk

Business Requirements

Security Architecture

Risk Management

FFDueDiligence

IncreasedControls

Where Does Security Fit?

Requirements/Definition

Design

DevelopTest &Debug

Deploy and Maintain

Focus of the Past

Focus of the Future

TEITM of Integrating Security

Performance& Flexibility

Security

C&A + Continuous Assessment

System Accreditation“A management decision . . . to

authorize operation of an IT system based on the results of a certification process and other relevant considerations…”

NIST 800-37

Security Certification“A comprehensive analysis of the

technical and non-technical aspects of an IT system in its operational environment to determine compliance to stated security requirements and controls…” NIST 800-37

Continuous Assessment

– Event/Incident Monitoring

– Vulnerability Management

– Configuration Management

– Risk/Threat Management

– Compliance Management

Auditing Compliance

External

2 — Assessment

3 — Respond to Gaps Third-Party Validation

Internal

1 — Documentation

Why Security?

Risk: there is a business risk, and it is growing.

Governance: we are seeing increased pressure on boards and executive management in regards to information protection.

Architecture: defining a security architecture gives you something to manage and measure against as well as a road map to your destination.

Integration: building security in is more cost-effective than bandaging security on.

Process: security is not just a technical problem, put a people and policies problem as well.