Page 1

Robert Garigue

VP and Chief Information Security Officer

Controlling Order and Disorder

The evolving role of the CISO within the new structures of Information Systems

Page 2

Outline of our expedition

Background and Analysis Frameworks

– Business models – The nature of the threats

The strategic information security framework

– Environmental factors– Information security processes

Evolution of information security functions

– Alignment and Integration challenges

– Emerging new risks and concerns Reflections on the nature and evolving role of the Chief Information Security Officer

Travels in a foreign land

Page 3

BMO Financial Group

• Founded in 1817 – First Canadian Bank

• Highly diversified financial institution– retail banking – wealth management – investment banking

• Assets of $256 billion at October 31, 2003

• 34,000 employees

• Strong presence in US Mid-West through Harris Bankcorp

• Overseas offices around the world

Page 4

Metrics of the Digital BMO

200+ Mainframes

276+ Open System Business Critical Applications

37 000 Desktops

2500 support servers

6000 main network devices

165 Terabytes of datastorage 50%+ a year

Several Million Transactions/sec

Page 5

Myths and Realities

For some the world is a multidimensional place

…and for other… it is still flat…

There are always Myths and Realities.

Page 6

An evolving organizational context : Information Society

Some of the New Realities:

• Information based productivity

• Computer mediated decisions

• Rise of the knowledge worker

• Network centric structures and value chains

• Command and Control hierarchies are displaced by Cooperative, Commutative and Coordinated organizations

• “a burden shared is a burden halved .. an intellectual asset shared is one doubled”

Page 7

The Integrated Informational Value-Chain

LinkedComplementaryInterdependent

LinkedComplementaryInterdependent

From Goods or Services To

Goods with Services

From Goods or Services To

Goods with Services

Page 8

Information Flows : Health Care Ecosystem

Page 9

Physical

Process

The impact will be felt in the three realms of cyberspace

Content

Page 10

The Evolution of the Noosphere (Teilhard de Chardin )

Mobile and Peer to PeerClient ServerMain Frame

focus Organizations

(command and control)Individuals

(cooperation, coordination,and communication)

Ubiquitous

Trusted

Affective

Advisory

Always on

Social

Page 11

It is full of Risk: These are the shape of “Things Now Dead”

Page 12

But there will always be conflict between Open systems and Closed systems…. Violent conflict …

Pablo Picasso. Guernica. 1937. Oil on canvas. Museo del Prado, Madrid, Spain

Page 13

Zero-day virusSlammer – 30 minutes later

Page 14

Information Security: A new oxymoron

Information

Security

The debate

Page 15

Arguments For Getting Funding :Levels of Maturity of the Organization

Fear, Uncertainty and Despair: “The Hackers, virus, will get us unless..”

The Heard Mentality: “The king needs Taxes”…

The Analytical ROI ? “Investment in Intrusion Prevention Systems are better than”…

Arguments that have yet to come:

“Because we can take on more business and manage more risks”

(brakes enable cars can go faster)

Page 16

Information Security – Managing ExpectationsSometimes it is just a communication issue…

Page 17

Consequence A: Information Security Officer as The Jester

Sees a lot

Can tell the king he has no clothes

Can tell the king he really is ugly

Does not get killed by the king

Nice to have around but…how much security improvement comes from this ?

Page 18

Consequence B: Information Security Officer as Road Kill

Changes happened faster that he was able to move

Did not read the signs

Good intentions went unfulfilled

A brutal way to ending a promising career

Sad to have around but…how much security improvement comes from this ?

Page 19

Maybe a better model for CISO: Charlemagne

•King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.

• He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.

•He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.

•He relied on Counts, Margraves and Missi Domini to help him.

Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.

Missi Domini - Messengers of the King.

Page 20

Knowledge of “risky things” is of strategic value

How to know today tomorrow’s unknown ?

How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

This is the mandate of information security. This is the mandate of information security.

Page 21

The Interconnected Societies: the critical Infrastructure

TELECOM SERVICES LAYER

TRANSPORT SERVICES LAYER

TERRAIN LAYER

FEATURE LAYER

PHYSICAL BACKBONE LAYER

GEOGRAPHICAL MAP LAYER

OPERATIONS LAYER

TECHNICALAPLICATION

LAYER

CONTROLLAYER

(Geo-political boundaries)

(Elevation)

(Land Use, Cities, Buildings, Towers)

(Cables, Fiber Routes, Satellites)

(SONET Rings, ATM, PSTN)

(Internet, Data, Voice, Fax)

Sector

Dependent

Layers

Common

Layers

TELECOM UTILITIES

Billing &ResourcePlanning

LoadBalancingReliability

SS7 SCADA

Billing &ResourcePlanning

FINANCIAL

Billing &PaymentInternet

Banking

FinancialServicesUtilities

Stock / FinancialExchanges

POS TerminalsATMs

GOV

HEALTHCARE

BillingAdministration

DiagnosticsElectronicRecords

HospitalsLabs & Clinics

Pharmacies

HL7

LAYERS

LegislationTaxation

Law - Order

Secure channels

Prov, and Fed

Services

Grid / Pipeline

Monitoring &Control

Page 22

Indicators and warningsExternal environment : the rates of evolutions

– 16 new malware products launched every day: viruses, worms, trojan horses, spyware etc

– 7 new vulnerabilities discovered every day

– 20 minutes guaranty

– Probes against Financial Institutions web sites launched every 6 seconds

– Social engineering is on the rise: People are the weak link

– 16 new malware products launched every day: viruses, worms, trojan horses, spyware etc

– 7 new vulnerabilities discovered every day

– 20 minutes guaranty

– Probes against Financial Institutions web sites launched every 6 seconds

– Social engineering is on the rise: People are the weak link

HackersScript kiddies

Industrial espionageCyber-terrorists,

CompetitorsSuppliers

Page 23

Indicators and warnings : Threats and targets

The McKinsey Quarterly, 2002 Number 2 Risk and resilience Daniel F. Lohmeyer, Jim McCrory, and Sofya Pogreb

Page 24

Manufacturing exploits: The electronic Petrie DishMalware : spyware + trojan + spam + exploits + social engineering

Page 25

Indicators and warnings How money was lost – Rough order of magnitude (ROM)

Source: CFI/FBI Report 2003530 US based corporations, government and educ. inst.

Highest Reported Average losses '000 US$ '000 US$

Denial of Service 60,000 1,427

Theft of proprietary information 35,000 2,700

Insider abuse of Net access 6,000 135

Viruses and worms 6,000 200

Financial fraud involving info. systems 4,000 329

Sabotage of data or networks 2,000 215

Laptop theft 2,000 47

System penetration by outsider (hacking) 1,000 56

Active wiretapping 700 352

Telecom fraud 250 50

Unauthorized insider access 100 31

Telecom eavesdropping 50 15

Page 26

Identity Theft in Canada

Page 27

Hacking Beliefs

Identity Theft– One of the fastest growing crimes.

Statistics Canada reports 13,359 cases, $21.5 million losses in 2003

– Account takeover (credit cards, bank accounts)

– Application fraud (open new accounts with victim’s ID)

– Industry needs improved identity management solutions and strong public awareness

Phishing (using email scams to collect confidential information)– Key issues: detection, shutting down

bogus sites, customer awareness– Banks are posting warnings on their

public sites, and updating security page information with “Q&A” type of information.

Page 28

Emergent Complexity : Spam Space as Risk

Page 29

Structuring RisksAn Organizational Risk Categorization Taxonomy

Page 30

Structuring RisksRegulatory Environment: where are the controls ?

– Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada

– Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) - U.S

– California Law SB1386 - California – HIPPA (Health)– Office of the Superintendent of Financial

Institutions (OSFI) – Canada - Guideline B10– The Financial Services Authority (FSA) –

England - OS Section 4– Federal Financial Institutions Examination

Council (FFIEC) - U. S. – Office of the Comptroller of the Currency

(OCC) - U.S. OCC 2001 - 47 – The Bank Act - OSFI – Canada – Guidelines

B6, B7, B10– Federal Financial Institutions Examination

Council (FFIEC) - U.S. SP-5 Policy – Sarbanes- Oxley Act (SOX) - U.S. – Bill 198 - Canada – SEC Rule 17a-4– Basel II Accord – European Union Directives on Information

Security– Canada’s National Security Program– Patriot Act - US

Privacy

Security

Page 31

Regulatory Penalties & Fines Grid

Name of Regulatory Mandate

Some Potential Penalties

Potential Fines

SOA 20 years in prison $15 million

Basel II Regulatory agency penalties: vary by G-20 country

Regulatory agency fines: vary by G-20 country

HIPAA 10 years in prison $250,000

GLBA 10 years in prison $1 million

Patriot Act 20 years in prison $1 million

Dod 5015.2 Failure to qualify for DoD contract; Contract breach; FAR penalties

Contract penalties

California SB 1386 Unfair trade practice law penalties: vary by state

Private civil and class actions; unfair trade practice law fines: vary by state

SEC Rule 17a-4 Suspension/expulsion $1 million+

Page 32

Emergent Behaviors: An Ecological View of Organizational Risk

The information infrastructure

The information infrastructure

The market Drivers

The market Drivers

projectsprojects

Governance bodiesInet, Ipt, ARB, etc

Governance bodiesInet, Ipt, ARB, etc

threatsthreats

lawslaws

practicespractices

standardsstandards

prioritiespriorities

resourcesresources

compliancecompliance

outsourcingoutsourcing

Riskmangt

Riskmangt

Educationawareness

Educationawareness

reviewsreviews

auditaudit

CapitalAtRisk

CapitalAtRisk

RCSARCSA

Lob RISKofficers

Lob RISKofficers

Access mangt

Access mangt

CertificatesCertificates

Cryptopolicy

Cryptopolicy

Identitymangt

Identitymangt

IPCIPC

AlertsAlerts

Vulner.Analysis

Vulner.Analysis

escalationsescalations

Data Classif.

Data Classif.

ActiveInformation

SecurityStrategy

ActiveInformation

SecurityStrategy

NetworkSecurity Council

NetworkSecurity Council

-

+

+

+

++

+

-

-

--

--

-

-

-

+

-

+Tech

Residual Risks

TechResidual

Risks

--++

Organizational accumulated technical residual risk =

TechResidual

Risks

TechResidual

Risks

Environment

New Technology

New Technology

Page 33

Information Security organization as result of the knowledge transfer process

The Knowledge Transfer Cycle

Technical Threats

Passive Real time

High

Org

a ni z

a ti o

n al

Co m

plex

ity/C

a pab

il ity

Low

Virtual Private Networks

Firewalls

Virus Scanners

Intrusion Detection Monitoring

Vulnerability Analysis

Real Time Response

Role base identity Access management

Digital Rights ManagementSecurity Functions

Page 34

Knowledge transfer

The Knowledge Transfer Cycle 2

BMOIS

CBA

FI CIRT& otherBanks

Vendors

FIRST

Projects

PSECP

CANCERTClientsand

Businesses

wireless

Info/infrastructure

Utilities

Health

Telecom

Knowledge networks

Passive Real time

High

Org

a ni z

a ti o

n al

Co m

plex

ity/C

a pab

il ity

Low

Virtual Private Networks

Firewalls

Virus Scanners

Intrusion Detection Monitoring

Vulnerability Analysis

Real Time Response

Role base identity Access management

Digital Rights ManagementSecurity Functions

Page 35

Network Protection

Operating System Protection

User Access

Control and Authorization

Object Integrity

Content Certification

Digital Signatures

Control Framework is a hierarchy of accountability structures

PrivacyPrivacy

SecuritySecurity

BusinessApplications

Clients/Users

Operational Support

Content control

Access Management

PerimeterProtection

Infrastructure

Infostructure

Page 36

Information Security Management FrameworkR

ISK

/CO

ST

STRATEGICRISK LEVEL: LOW

TACTICALRISK LEVEL: MEDIUM

OPERATIONALRISK LEVEL: HIGH

BusinessRequirements Design Development Implementation Operations

STRATEGIC

Governance and policies

• Policies• Standards• Procedures• Guidelines• Awareness• Research

TACTICAL

Application/system development and deployment

• Design reviews• IS solutions• Due care• Risk acceptance• New technology insertion

OPERATONAL

Active security posture

• Antivirus management• Vulnerability assessments• Intrusion detection• Incident response

OPERATONAL

IS services

• Access management• Key management• Security token management• Other operational services

Risk curves

Page 37

Information Security Key Performance Indicators

Policy – Number of Policy Exceptions– Number of Risk Acceptances– Value of Residual Risk

Process– Number of security issues in new

projects– Number of ID accounts

(active/dead)– Number of keys / digital certificates

/ tokens– Time to respond to patches,

incidents– Losses due to security incidents

People – Number of certified personnel– Overall capital investment ratio

security to IT spend • per system• per person• per incident

Tycho Brahe (1546-1601)

Page 38

Information Security Key Performance Metrics

Count of Virus Infections on BMO VPN

0

2

4

6

8

10

12

December January 2004

February March April

Month

Co

un

t

Risk Acceptance and ISM Exception Forms

02040

6080

100120

140160

Q3 2003 Q4 2003 Q1 2004 Q2 2004 Q3 2004

Active ISM Exceptions (+4.2%vs. Q2)Active Risk Acceptance(+4.2% vs. Q2)

Project & Issue Tracking

0

100

200

300

400

500

600

700

800

Q3 2003 Q4 2003 Q1 2004 Q2 2004 Q3 2004

Nu

mb

er

of

Iss

ue

s

0

10

20

30

40

50

60

70

80

90

100N

um

be

r o

f P

roje

cts

Open Issues (+8.17% vs. Q2) Closed Issues (+58.7% vs. Q2)Open Projects (+2.57% vs.Q2)

April Microsoft Security Patch Deployment(Servers + Workstations = 36,000 systems reported)

0

20

40

60

80

100

1 6 11 16

Days Elapsed

% C

ompl

ete

Patch AnnouncedZero days elapsed

Major Areas Complete16 days elapsed

Sasser worm emerges17 days elasped

Advisory upgraded (exploit emerges)

Page 39

April Microsoft Security Patch Deployment(Servers + Workstations = 36,000 systems reported)

0

20

40

60

80

100

1 6 11 16

Days Elapsed

% C

om

ple

te

Patch AnnouncedZero days elapsed Major Areas Complete

16 days elapsed

"Accelerated" Threshold2 days elapsed

Sasser worm emerges17 days elasped

"Normal" Threshold 2 weeks elapsed

Proposed "Accelerated" Threshold

7 days elapsed

Advisory upgraded (exploit emerges)

Microsoft Patch Deployment

H M L

H Emergency Accelerated Accelerated

M Accelerated Accelerated Normal

L Accelerated Normal Normal

Note:April 2004 release required 4

separate patches

Patch/ IncidentApril 2004 Critical (4)

February 2004 Critical

Nachi/ Blaster (August 2003)

SQL Slammer (January 2003)

Days to Patch (90% Complete) 16 9 34 209

Historical Trend Analysis

Page 40

Major Networks

Year/Quarter CWAN BWAN NesbittBurns

CapitalMarkets

Harris

2001 1.84 2.91 6.04 3.35

2002 – Q1 2.53 3.38 5.34 2.04

2002 – Q2 2.08 1.84

2002 – Q3 2.93 3.19 4.77

2002 – Q4 3.01 2.41 2.35

2003 – Q1 2.63 2.98 3.59

Active security posture – Vulnerability Analysis results

CWAN

Capital Markets Nesbitt Burns

Page 41

9Training

Last QForecastPosture

21

20

19

18

17

16

15

14

13

12

11

8

7

6

Details on

Page

Education & Awareness

Analytics/ reportingBusiness Analytics

Remote Access

CSPIN (devices)

Access Management

Encryption (PKI)

Key Management

Information Security

Operations

Response/Management

Intrusion Detection

Vulnerability Assessment

Anti Virus

Information Protection

Centre

Project Assessments

Standards & Architecture

IS Policy & Strategy

Security Practices & Technology

EnterpriseInformation Security Service

Information Security Group

Quarterly Information Security Dashboard

= unsatisfactory

= fully satisfactory

=positive trend

=negative trend

=stable

=Key Issues

Legend

Page 42

Making The Case for Security Investments

Return on Investment (ROI) has failed to demonstrate it economically because there are too many variables

– Benefits hard to quantify: what’s the value of good health?

– Statistical data unreliable and changing fast

– Cost avoidance not the same as cost savings

– The “language divide”: accounting vs. security

– Loss of credibility more costly than loss of physical assets

– Technology substitution is not a guaranty of more capability

Total Security costs

Incidents Costs

Security Investments

?

Page 43

The Security Challenge: Alignment

Project assessment

The Digital DivideTwo solitudes, in virtual isolation

Security services IT processes

Anti-Virus

Patches

VulnerabilityAssessments

Incident management

Intrusion detectionApplication

security

Access management

Keymanagement

Application development

Architecture

Problem management

Incident management

ChangemanagementService

level

ConfigurationFirewall rules

CapacityAvailability

IT Service continuity

Page 44

Phase Description

1. Initiation

2. Awareness

3. Control

4. Integration

5. Optimization

Concrete evidence of development

Resources allocated

Formalized

Synergy between processes

Continuous self improvement &optimization

0. Absence Nothing present

Characteristics:

visible results management reports

task/authorities defined active rather than reactive

documentation formal planning

Maturity Framework Levels: Stages of Evolution of a system

Page 45

Maturity Frameworks pedigree : The reference framework

It is better not to proceed at all than to proceed without methodDescartes

Page 46

Information Security Maturity model - ISO 17799 Information Technology Infrastructure Library (ITIL) SEI – CMM (Capability Maturity Model)

Page 47

A proposal for a new integrated risk framework

The objective is to lower the overall risk through capability maturity framework integration

Bus. Req. Design Development OperationsImplementation

ITILSEI CMMISO Project ISO 17799

Risk Management through Maturity Framework alignment

Organizational focus

?

Page 48

Strategic Evolution of Information Security

• IP level • Protocol aware• Perimeter based

• Closed API• Limited to # of User• Single Admin• Simple Provisioning

• Node Based• Heterogeneous• Island of security• Under-maintained

Packet Level

Integrity

Closed Business systems

Perimeter Control

• XML Based• Application Control• Content Aware• Higher value

• Accessible API• Many Users• Multiple connections• Cross organization access

• Integrated Network View• Consistent Policies• Tiered Administration• Remote monitoring and management

Application Level

Assurances

Integrated Business Systems

Managed Security Services

Present Security Model Target Security Model

Page 49

The new Information Security challenge: Managing the “Roles and Content” via “Rights and Privileges”

Number ofDigital IDs

Applicatio

ns

MainframeMainframe

Client ServerClient Server

InternetInternet

BusinessBusinessAutomationAutomation

CompanyCompany(B2E)(B2E)

PartnersPartners(B2B)(B2B)

CustomersCustomers(B2C)(B2C)

MobilityMobility

Growth of “unstructured” Documents

ROLES

CONTENT

Page 50

Information centric organization

•Content increasingly easy to collect and digitize•Has increasing importance in products and services•Is very hard to value or price•Has a decreasing half life•Has increasing risk exposure

–integrity-quality –regulation privacy/SOX

•Is a significant expense in all enterprises (IT Governance – Weill and Ross)

Michael C. Daconta

Page 51

Where are the risk coming from the rise of the info-structure

Where is the locus of control outside the boundaries of the organization ?

Information Security Management has to recognize a requirement for a content control model that is independent from a specific technical solution.

To deal with the new information security risks in “semantics management”

Then the focus to content management and issues:

Topic Maps, XML, RDF,UDDI, XBRL,

SAML, Ontologies, And more and moreXML

Infostructure: Content Infostructure: Content

Policy: RulesPolicy: Rules

Infrastructure: Technology Infrastructure: Technology

Tag/ CONTENT /tag

Page 52

The Integrated Architecture : Content and Technology

Web Server

Web PDA Cell

Content Management System

Provisioning Engine

StaticContent

Style Sheets

Syndication Server

Data Server

ProfilesRights and Privileges Rules

Application

Application

Application

Application

Request and User ID /passwordCustomized XML Docs/Info

Content request Content response

Page 53

The Architecture of the Infostructure The Ontology of Information Management

RiskAssessment

Content ClassificationSensitivity

BusinessApplications

Roles

XMLTopic Maps

RDFUDDIXBRL

Rule MappingFrom Policies to XML

Offerings Resources Transactions References Locations Policy and regulations Directions Contracts FinancesMarkets

QualityOf

Service

ROI onIntellectual Capital

Knowledge

Life cycleInformation

QualityData

SOAPeer to Peer Groupware

Taxonomies

Syntax

Organizations

OutcomesE-ContentLife Cycle

Management

Process

Policies

StandardsNetBiz

RosetaNet

Architecture

Page 54

Information Management as Information Security

NEW IMPERATIVES

Data Classification

Information stewards

Content lifecycle management

Identity Management

Digital Rights Management Services

NEW IMPERATIVES

Data Classification

Information stewards

Content lifecycle management

Identity Management

Digital Rights Management Services

Recommended Controls ( accumulates as you go down )Examples of content

Review and sign off of Logs by stewards and custodians

Systems involved are assessed periodically and around significant changes

Host/device monitoring for intrusion

Trained and certified information security people involved in th

review of operations

Customer public identification associated

with account information

Customer Data with SIN

Strategic Plans

Highly Sensitive

Encryption

Separation of Duties

Secured log files and Access Control

Review of Sample Logs

Systems involved are assessed periodically and around

significant changes

Trained and certified people involved in design and operation

Passwords lists

Customer Names

Project documentation

Customer Snapshots

Credit Card Numbers

Account Numbers

Confidential

Assets should be labeled with Classification

Log files

Broad Access Control

Policy documents

Routine Procedures

Internal

Contracts, Licensing, usage and log files for activity purposeNews clippings

Market Data

Public

Recommended Controls ( accumulates as you go down )Examples of content

Review and sign off of Logs by stewards and custodians

Systems involved are assessed periodically and around significant changes

Host/device monitoring for intrusion

Trained and certified information security people involved in the

review of operations

Customer public identification associated

with account information

Customer Data with SIN

Strategic Plans

Highly Sensitive

Encryption – anonymizing - pseudomizing

Separation of Duties

Secured log files and Access Control

Review of Sample Logs

Systems involved are assessed periodically and around

significant changes

Trained and certified people involved in design and operation

Passwords lists

Customer Names

Project documentation

Customer Snapshots

Credit Card Numbers

Account Numbers

Confidential

Assets should be labeled with Classification

Log files

Broad Access Control

Policy documents

Routine Procedures

Internal

Contracts, Licensing, usage and log files for activity purposeNews clippings

Market Data

Public

Page 55

Reports to

Reports toHR Reporting

Hierarchy

HR ReportingHierarchy

PositionHierarchy

PositionHierarchy

EmployeeEmployee

Non-Employee

Non-Employee

Actual

Target

Actual

Target

IndividualIndividual ApplicationUser ID

ApplicationUser ID

Org Unit /Location

Org Unit /Location

StandardTarget

StandardTarget

PositionPosition

RoleRole

CPMRole Group

CPMRole Group

IndividualPosition

IndividualPosition

ProvisionRole Group

ProvisionRole Group

User Interface(Desktop)

User Interface(Desktop)

ApplicationSystem

ApplicationSystem

Is a

ActivityActivity

Occ

up

ies

Requires

Identifies accessneeds of role

EnID Maps to Is needed toaccess

Has

a

Is partof

Generates

Has a

U

pda

tes

Targets are based on

Is partof

Is at a

Includes

Right /Privilege

Right /Privilege

EnterpriseAsset

EnterpriseAsset

Is Granted

Is a

Applies to

The New Audit Space Control of Content : Digital Rights Management

Page 56

The next level of challengeAligning the Infostructure with the Infrastructure

Daconta

Passive

Real time

High

Organizational Complexity/Capability

Low

Virtual Private Networks

Firewalls

Virus Scanners

Intrusion Detection Monitoring

Vulnerability Analysis

Real Time Response

Role base identity Access management

Digital Rights Management

Security Functions

InfrastructureArchitecture

Infostructure Architecture XML Firewalls

Semantic Management

Content Management

Page 57

The New Security Debate Space

The B2B market forces are enabling standards.

– B2B models– Taxonomies and ontologies– XML Protocols– WS-Security standards

What protocol and standards drive your business ?

Do you have an Information Security Officer debating these issues ?

Page 58

The Role of the Chief Information Security Officer

1. Information Risk identification

2. Information Risk formalization

3. Development of practices and tools

4. Integrate “root cause” analysis into governance framework

5. Devolve processes from exception management into operations

6. Improve Information asset identification and management accountability

Page 59

The Dynamics of Systems Changes

"There is no problem so complicated that you can't find a very simple answer to it if you look at it the right way."

-- Douglas Adams  

The key to progress is the process of feedback in its most simple form, two-way communication.

Pink FloydPink Floyd Norbert WienerNorbert Wiener

Page 60

Social Engineering … at its best…

Page 61

The future of information security is bright ..

Become a CISO and survive

Page 62

Colophon

Page 63

Thank you