'How can you achieve ongoing Compliance with regard to Information Security ?'

Adrian Wright – Secoda Risk Management

BCS Meeting 4 February 2009, Jersey Museum

Me

• 25+ years in IT• 18 years in Information Security• 9 years Head of Information Security for Reuters

– 250,000 systems– 1 million endpoints– 142 countries– 17.5k employees (5k s/w developers, 5k journalists!)

• 7 years founder / MD of GRC software company• Speaker and writer on GRC management topics

Finance regulatory involvement

• Most of 18 year career in Information Security spent in Finance Sector

• Reuters role included government and regulatory consultations on security, regulation and control of encryption, via Head of Regulatory Affairs

• Including:

– RIPA (Regulation of Investigatory Powers Act)

– EU Data Protection Directive

– Communications Act

– Paper for Geoff Hoon (then IT secretary) on de-restricting encryption

– FSA security consultation exercise (early BS7799 proposals)

– ENISA (European Network and Information Security Agency)

• Historical paradox…

“I do have a political agenda. It's to have as few regulations as possible.” Dan Quayle

“The trouble with government regulation of the market is that it prohibits capitalistic acts between consenting adults.”

Robert Nozick

Notable quotes on Compliance

Its getting worse…

Credit crunch = surge in crime

• Motivation to commit crime greatly increases during recession • Financial crisis-driven cybercrime on the increase• As stocks plummet, phishing and malware attacks increase• Phishing turns into Whaling – company executives targeted

Police resources & skills

• Cybercrime lacks government priority– Threats of terrorism and economic collapse are diverting political attention

elsewhere

• Cybercriminals are by contrast, ramping up their activities

• Cross-border law enforcement not working – (viz. McKinnon case)

• Law enforcement lacks necessary skills and manpower to protect. – Some governments even sponsor information theft and other illegal acts– Officers being poached by private sector, adding to skills shortage

• Money laundering and e-gold increasing

• NHTCU ceased in 2006 and SOCA not part of UK policing.– New PCeU formed but woefully under-funded (£7m over next 3 years)– By contrast – US budgeted $155m for homeland security in 2008; seeks $200m in

2009

• So – you’re virtually on your own

Increasing data sabotage & cyber extortion

Threat trends

Threat and incident trends:

• Increasing data losses

• Industrial espionage increasing

• Politically-sponsored espionage – wholesale

• Growing black economy– organised crime accounting for £20 billion = 1.42% of UK GDP (SOCA 2008)

• Hacking no longer a ‘sport’ – all done for financial gain

• Mobile workforce

– (a) your data is out there

– or (b) you need to let them in to access it

How well do we assess risk?

National Safety Council – whole USA statistical averages:

One year odds of dying as a direct result of:-

• Aircraft incident 1 in

• Automobile incident – occupant 1 in

• Automobile incident – pedestrian 1 in

• Hit by lightning 1 in

• Flood 1 in

• Electrocuted 1 in

• Shot by firearm (assault) 1 in

• Shot by firearm (self inflicted) 1 in

• Some type of accidental trip or fall 1 in

• Alcohol 1 in

432,484

19,216

49,139

6,384,000

13,248,000

1,019,642

25,263

17,532

15,614

820,271

You can’t secure everything…

• You cannot secure absolutely everything:– “By 2011 the amount of data we produce will exceed the capacity of the

world’s storage systems” i.e. 1,800 exabytes (1,800 billion gigabytes) against total storage of 600 exabytes. CAG = 60% (IDC)

– In 2012, the total annual volume of IP traffic will reach half a zettabyte[1] IP traffic will nearly double every two years through 2012: increasing by a factor of six from 2007 to 2012.

– Replication: businesses hold avg 3-5 copies of all files; 15-20% have more than 10. We need to start de-duplicating now! (Discovery, DPA & FOI implications)

• Ownership and value are unknown:– A resource without an owner is, by definition, unsecured. Many critical

systems and information are presently going un-owned (examples)

– Data classification isn’t happening or is too complex for all staff to use

– Risk assessment is still a central, expert, function. Need a simpler way.

(1) A zettabyte is 1,000,000,000,000,000,000,000 bytes or 1021; equal to: 1 trillion gigabytes; 1,000 exabytes; 250 billion DVDs.(2) An exabyte is 1,000,000,000,000,000,000 bytes or 1018: equal to: 1 billion gigabytes; 1,000 petabytes; 250 million DVDs.

Investigation of the Problem: The 6 key questions

“I keep six honest serving-men(They taught me all I knew);Their names are What and Why and Whenand How and Where and Who”

Rudyard Kipling poem "The Elephant's Child" (1902)

“I keep six honest serving-men(They taught me all I knew);Their names are What and Why and Whenand How and Where and Who”

Rudyard Kipling poem "The Elephant's Child" (1902)

FSA Report – Data Security in Financial Services

• Review and report produced by new Financial Crime & Intelligence Division (FCID), formed January 2007– Group checks firms’ systems and controls for assessing and mitigating risk

– Centre of excellence within FSA, advice and intelligence to rest of FSA

– Case work on financial crime issues

• During 2007, group dealt with 56 cases of reported data loss by financial services firms

• Began review programme “to examine how financial services firms in the UK are addressing the risk that their customer data may be lost or stolen and then used to commit fraud or other financial crime”.

• Review based on visiting 39 financial services firms;– determine how well they were identifying and tackling risks of data loss

Looked at customer data stored on:– Databases

– Paper files

– Held with 3rd party suppliers

270+ observations - so what’s most important?

Top Theme: Staff Awareness & Testing

The FSA’s Conclusions to this report:

1. “Poor data security is currently a serious, widespread and high impact risk to our (the FSA’s) objective to reduce financial crime”

2. “…there exists a very wide variation between the good practice demonstrated by firms committed to ensuring data security, and the weaknesses seen in firms that are not…”

3. “…data security in financial services firms needs to be improved significantly”

Disappointingly, the report only makes a single passing reference to ISO27001

CHANGE HOW WE DO THINGSWork Smarter – Not Harder

Leverage ‘soft skills’ to put security on the agenda

• Some ideas:– Some InfoSecurity groups getting people sales trained – ‘soft skills’

– Key people must be press trained

– Use business language to communicate your concerns to the Board

– War stories – lots to choose from; but only use most relevant ones

– Negotiate: better to get agreement on some security than risk no security

– Create alliances; the Board wants to hear one coherent message, not dozens

– Don’t be the barrier to deployment. Get security into the project process

– ‘Surf the indignation’ opportunity window after an incident

‘Circles of influence’

Danger zone:‘No man’s land’Non-owned but potentially vital tasks

Incomplete or forgotten tasks

Within organisations; managers and functions operate within ‘circles of influence’; each owning specific tasks and responsibilities, and each having limited jurisdiction and scope

There will exist - potentially important - tasks and assets that don’t fall within the bailiwick of any of these owners, and consequently go unmanaged and un-secured

Additionally, experience shows that managers and functions will sometimes offload responsibilities that don’t fit naturally into their space. Ideally, these will land within another manager’s care, but this is not always so; thereby adding to the problem of unmanaged processes and assets

New tactics: work smarter – not harder

• Risk-driven: – Avoid over or under-use of security controls by ensuring that the use of certain controls is driven

by the prevailing assessed risks.

• Self Service:– ‘‘It’s better to teach a man how to fish than to give him fish.’’

• The assessment and management of Information Security needs to be a primarily self-service process, driven forward by:

– Mandate – senior management endorse and command the mission, set into employee’s and manager’s Ts&Cs

– Awareness – of the risk drivers, their responsibilities, the mandate, and what needs doing

– Training – on how to use the tools, carry out the procedures, and where to get help and advice

• Do once – use many: Security ‘building blocks’

The ‘Security Building Block’ approach

The (ISC)² 10 security domains•Security management practices Access control systems and methodology Telecommunications and networking security Cryptography Security architecture and models Operations security Application and systems development security Physical security Business continuity and disaster recovery planning Laws, investigation, and ethics

Carry out reviews at division or location level to certify the non system-specific aspects of security and use these certified attributes or ‘domains’ in all subsequent system projects and reviews. identify which controls are System-specific and which are Generic

“If you fail to plan – you plan to fail”

• Reality check: – you can’t protect everything

– you can’t prevent all breaches occurring

– need to be selective about what you protect, and to what degree

– plan ahead for when it does go wrong – not if it does

• The role of information security has moved from that of trying to prevent all incidents – to that of (1) mitigating the impact, and (2) ensuring a favourable legal or political outcome when things do go wrong

• Manual or paper-based approaches are no longer adequate. – Need to automate some risk & compliance processes to achieve the

necessary coverage – at today’s speed of change

• This means shifting focus to the following:1. Faster and more effective incident response and management plans

2. Get key people press trained

3. Pre-agree statements and actions with legal teams before anything happens

Putting it all together:A practical Case Study

• Major UK financial sector company• 400+ information security policies• 100+ technical standards• Simple data classification by Data Owners• Objectives:

– Increase security awareness across the whole Group– Implement improved risk assessment via tools, workshop

training, automation– Improve and simplify Data Classification, so all can understand &

use – Overhaul of Data Ownership responsibilities to review their

systems

Practical example demo

• Corporate case study, combining process, people and technology to deliver an automated compliance framework.

• Solution incorporated:– policies mapped to people’s roles and circumstances

– automated compliance workflow to drive compliance forward low management effort

– management scorecard reports show progress, hot spots etc in real time

– audit results gathering and staff knowledge testing to verify understanding and actual compliance across the whole business

User Awareness

• PCI Awareness Example

Where we need to focus:

1. Training & Awareness – must include role specific guidance & testing

2. Written policies - communicated and relevant to staff’s daily work

3. Staff vetting – focus on junior rather than senior, repeat periodically

4. Access rights – joiners and leavers, role based access profiles

5. Control staff use of Internet , Email, P2P, IM

6. Key-logging devices & software

7. Laptops, USBs, CDs and other devices – encrypted

8. Physical security

9. Disposal of paper-based customer records

10. Managing third party suppliers & data

11. Internal Audit skills and expertise

Crisis – or Opportunity?

Weiji [way-jhee], modern Chinese for "crisis"

"The word "crisis" is composed of two characters:One represents danger, and the other represents opportunity.

adrian.wright@secoda.com44 (0)8456 4 27001