24
Meeting Agenda
§ Challenges Faced By IT § Importance of ISO-17799 & NIST§ The Security Pyramid§ Benefits of Identifying Risks§ Dealing or Not Dealing With Risks§ Applying Real-World Risk Management Methodologies§ Conclusion
Challenges
§ Information & System Availability§ Complex Environments§ Connectivity Requirements (Work From Anywhere
\ Anytime)§ Fast Paced Growth (Acquisitions)§ Regulation Requirements§ Transitioning from Reactive to Proactive Practices§ Limited Resources (Biggest Challenge)
Regulations
§ HIPAA – Health Insurance Portability & Accountability Act
§ GLBA – Gram-Leach-Bliley Act§ Sarbanes-Oxley- Sarbanes-Oxley Act§ Payment Card Industry – Credit Card Industry
Specific Requirements
Key Methodologies
§ ISO-17799§ National Institute of Standards & Technology
(NIST)§ ITIL§ CoBIT
Importance of NIST & ISO-17799
§ National Institute of Standards & Technology Referenced Throughout Most Regulations
§ Policies and Procedures Are Critical to NIST Best Practices
§ ISO-17799 is Industry Recognized Standard for Security
§ ISO-17799 Covers 10 Areas of Security§ Each ISO-17799 Area Has Individual Security
Items
§ If You Follow NIST and ISO-17799 You Would Have a Strong Security Posture and Should Pass Almost Every Audit
§ Combine NIST 800-26 Levels and ISO-17799
ISO-17799 Covered Areas
§ Security Policies§ Organizational Security§ Asset Classification & Control§ Personnel Security§ Physical and Environmental Security§ Communications & Operations Management§ Access Control§ System Development & Maintenance§ Business Continuity Management§ Compliance
NIST Legend
§ Level 1 –control objective documented in a security policy
§ Level 2 –security controls documented as procedures
§ Level 3 –policies and procedures have been communicated & implemented
§ Level 4 –procedures and security controls are tested and reviewed
§ Level 5 –procedures and security controls are fully integrated into a comprehensive program.
ISO-17799 Graph Sample
Business Continuity
0
1
2
3
4
5
6
Business ContinuityManagement Process
Business Continuity &Impact Analysis
Writing & ImplementingContinuity Plan
Business ContinuityPlanning Framework
Testing Maintaining &Reassessing BC Plan
Actual Practice
Peer Comparison
NIST Level
Assess the Pyramid
What is the Pyramid
§ Holistic\Integrated Approach to Security§ Represents the key building blocks to a strong
Information Security Posture§ Represents Berbee’s approach to security§ Much Like Malsow’s Hierarchy of Needs or USDA’s
Food Pyramid
Three Types of Clients
§ Those that are maintaining the pyramid§ Those who are building the pyramid§ Those that need to start building the pyramid§ They all have different pyramid needs
Security Professional’s Goals
§ Reduce Risk§ Reduce Cost§ Reduce Complexity
Policies, Procedures, Standards & Leadership Support
§ Policies§ Procedures§ Standards§ Leadership Support
Assessments & Risk Management
Risk Management§ Provide a roadmap to
strengthen weaknesses
§ Provide an idea of remediation budget
§ If you’re regulated, it will save you time when the audit occurs
Assessments§ Types
• Baseline• Compliance• Progress
§ Purposes• Facilitation• Education• Justification
Benefits of Identifying Risks
§ Can’t Manage if You Can’t MeasureKnowing Risks will allow you to determine what and how toprotect against threatsIt will identify costs of dealing with threats
§ Roadmap for Protection MechanismsKnowing Risks will be the first step towards evaluation & implementation of protection practices and solutionsProject Plans and Head Count Necessary for Risk Mitigation will be defined
§ Enhances Proactive Response PracticesKnowing Risks will allow for more effective Incident Handling, IT Contingency, and Physical protection mechanismsWith Risk Prioritization, when multiple issues occur, it will reduce time to respond
Dealing or Not Dealing With Risks
§ Three ways to deal with risksAccept the risk as it isMitigate or reduce the riskTransfer the risk (insurance)
§ Not taking the time to identify risks has these potential consequences
Significant monetary loss due to attacksRegulatory PenaltiesCivil Penalties (class action lawsuits by victims)Damage to ReputationIntellectual Property LossCustomer Privacy CompromisedPhysical LossLoss of Life in Critical Infrastructures (Transportation, Health Care, Government, Utilities)
How To Identify and Prioritize Risk
§ First Step is a Business Impact AnalysisUtilize ISO-17799 ChecklistSend out a BIA Questionnaire to Business UnitsFill out the Risk Assessment Spreadsheet for each System, Application and Process from the BIA and ISO Checklist
§ Create Priority Matrix & Tasks ListsWith the results from the Risk Assessment Spreadsheet and other Material, a Task Plan can be builtIdentify resources that should be part of the Risk Management Project
§ Risk Management Team First StepsShould each risk be: Accepted, Mitigated, TransferredFor those that need to be mitigated: determine next steps
Key Processes In Overall InfoSec Program
§ Assess policies, standards, procedures by conducting a gap analysis
§ Author policies and procedures that are not in place based on the gap analysis
§ Implement an internal Audit and Assessment process
§ Conduct a Risk Analysis to identify systems, applications and their critical priority level
§ Build an Incident Response\Handling process
Key Processes Continued
§ Implement Release, Configuration and Management processes
§ Create a Security Awareness Program for all internal personnel
§ Conduct a Cost\Benefit Analysis (CBA) on technologies that can assist in reducing the complexity and costs associated with security risks
§ Designate staff to lead the security initiatives and allow them time to do so
§ Assess what organizations in your industry and that are similar in size, strategy, etc, are doing for their security initiatives
Key Take Aways
§ ISO-17799 and NIST Are Important Components in Identifying, Measuring and Managing Risks
§ Risk Management involves Leadership support to get the resources to deal with it
§ Not dealing with risk has consequences§ There are free tools available for initiating &
maintaining the risk management process§ Risk Management involves diligence, key personnel
involvement and keeping it simple
Links & Tools§ http://www.securityfocus.com/vulnerabilities§ http://www.infosyssec.com/index.shtml§ http://www.nessus.org§ http://new.remote-exploit.org/index.php/Auditor_main
(Auditor)§ http://www.iwhax.net/modules/news/
(Whoppix)§ http://www.knoppix.net/§ http://www.isecom.org/osstmm/§ http://www.insecure.org§ http://www.foundstone.com/§ http://www.metasploit.com/§ http://packetstormsecurity.nl/
More Links & Tools
§ http://www.owasp.org/index.jsp§ http://www.hackingexposed.com/§ http://www.sans.org§ http://www.sans.org/score/§ http://isc.sans.org/ § http://csrc.nist.gov/publications/nistpubs/§ http://csrc.nist.gov/pcig/cig.html§ http://csrc.nist.gov/checklists/repository/category.html§ http://www.iso17799software.com/§ http://www.microsoft.com/security§ http://www.cisco.com/security
Thank You
