Information Protection

Orlando Moreno, PMPVP of OPERATIONS

[email protected] 408.656.2498

Information ProtectionEffectively Building a Security Architecture

[email protected] 2

Security Threats Are Growing

Security Incidents Reported to CERT

0

10,000

20,000

30,000

40,000

50,000

60,000

# of incidents

2001: 52,000+ incidents(Code Red, Nimda)

Computer Emergency Response Team (CERT) is a federally funded research and development center specializing in Internet security operated by Carnegie Mellon University.

‘88 ‘89 ‘90 ‘91 ‘92 ‘93 ‘94 ‘95 ‘96 ‘97 ‘98 ‘99 ‘00 ‘01

1988: 6 incidents

(Morris Worm)

[email protected] 3

The Past Year — Shaping InfoSec

Code Red, Nimda,

Slammer

September 11th

WorldCom, Enron Legal, Regulatory

We’re Vulnerable

Significant Threats

Increased Oversight

[email protected] 4

The Past Year

Lessons Learned …– We’re vulnerable

– Security is everyone’s responsibility

– Security threats & risks are evolving

– Security is a process not a product

Where We Are Going …– Accountability: Organizational, Vendor, Individual

– Integrated/Distributed Security: OpSys, Apps & Network

– Process Oriented: Managed with Metrics

– Standards & Regulations: Compliance

[email protected] 5

Security — Business Perspective

WallStreet

BusinessPartners

Cyber War

Competitors Privacy

Consumers

RegulationsInformationProtection

Insurance

Legal LegalInsuranceInsurance

Legal RegulationsRegulations

Insurance Consumers

Consumers

Regulations

Privacy

Privacy

Consumers

Competitors

Competitors Privacy

Cyber War

Cyber War

Competitors

BusinessPartners

BusinessPartners

Cyber War

WallStreet

WallStreet

BusinessPartners

[email protected] 6

Similar & Different Perspectives

Privacy

Data Protection

Liability

Regulation

Due Diligence

Standards

Technology

[email protected] 7

Security — Technical Perspective

Home Network

ApplicationsDesktops

DBsRemote Offices

Business Partners

Competitor

Consumers

Supply Chains

Development Chains

Demand Chains

[email protected] 8

Business View of Security

Risks vary in potential and impact on business processes

[email protected] 9

Manufacturing

How Am I Doing?

A

B

C

D

F

Information Sharing

InformationSecurity

Civilian Government

Defense/Intelligence

Financial Services

Health Care

Energy

Utilities Communications

[email protected] 10

Process View of Security

1. People: Everyone has a role in information security.

2. Architecture: Aligns security with business, sets management expectations.

3. Awareness: For expectations to be adhered to they have to be communicated.

4. Technologies: Security is enforced through selection of products that support the architecture requirements.

Architecture

People

Awareness

Technologies


Security Considerations

Authentication– Is the requester who they claim to be?

Authorization– Are they allowed to do what they are asking to do?

Audit/Accountability– How do we hold them responsible for their actions?

Confidentiality– How do we keep requests and responses secret?

Integrity– How do we know messages are not changed in transit?

Administration– How do we manage the data for all this?


Building a Security Architecture

WANConnections

Business Unit

Business Unit

A

A

A

A

Perimeter

Perimeter

Perimeter

RemoteExternal Users/Sites


Developing the Security Architecture

Security Architecture

Requirements

Business Needs

Regulations

Legal Issues

Business Partners


The Purpose of a Security Architecture

Understand business requirements– Legal, regulatory, business partner

Discussion of where you are and where you are going– 5 year plan — What will security look like tomorrow?

Define standards and principles – Architecture standards = Regulations, international standards– Technology standards = communication, desktop, server– Operational standards = Range of options

Establish Policy– Defines appropriate behavior

Provides metrics for measurement– What is to measured and how

Gives technical instruction– Topology, technical descriptions, techniques


Risk Management

Pervasive Principles

Broad Functional Principles

Detailed Principles

Regulations & Legislation

Business Risk

Business Requirements

Security Architecture


Risk Management

AA

BBCC

DD

EE

FFDueDiligence

IncreasedControls


Where Does Security Fit?

Requirements/Definition

Design

DevelopTest &Debug

Deploy and Maintain

11

44 33

2255

Focus of the Past

Focus of the Future


TEITM of Integrating Security

Performance& Flexibility

Cost

Security


C&A + Continuous Assessment

System Accreditation“A management decision . . . to

authorize operation of an IT system based on the results of a certification process and other relevant considerations…”

NIST 800-37

Security Certification“A comprehensive analysis of the

technical and non-technical aspects of an IT system in its operational environment to determine compliance to stated security requirements and controls…” NIST 800-37

Continuous Assessment

– Event/Incident Monitoring

– Vulnerability Management

– Configuration Management

– Risk/Threat Management

– Compliance Management


Auditing Compliance

External

2 — Assessment

3 — Respond to Gaps Third-Party Validation

Internal

1 — Documentation


Why Security?

Risk: there is a business risk, and it is growing.

Governance: we are seeing increased pressure on boards and executive management in regards to information protection.

Architecture: defining a security architecture gives you something to manage and measure against as well as a road map to your destination.

Integration: building security in is more cost-effective than bandaging security on.

Process: security is not just a technical problem, put a people and policies problem as well.

Date post:	08-May-2015
Category:	Technology
Upload:	orlando-moreno
View:	194 times
Download:	0 times