Presented by:Presented by:

Peter S. Browne Peter S. Browne Principal ManagerPrincipal Manager

Peter Browne & Associates, LLCPeter Browne & Associates, LLC

ABA WEBCAST BRIEFING

Foundations of Information Security

Projected B2B eCommerce Growth

$0

$1,000

$2,000

$3,000

$4,000

$5,000

$6,000

$7,000

$8,000

2001 2002 2003 2004

In B

illi

on

s

GartnerGartner7.3 Trillion7.3 Trillion

OvumOvum1.4 Trillion1.4 Trillion

ForresterForrester6.3 Trillion6.3 Trillion

Goldman3.2 Trillion3.2 Trillion

emarketeremarketer2.8 Trillion2.8 Trillion

2004 Predictions2004 Predictions

Internet Users Worldwide

1438

6997

132170

228

320

0

50

100

150

200

250

300

350

1995 1996 1997 1998 1999 2000 2001 2002

(Millions)

Source: IDC

Risk Management In Perspective - Drivers

New Technologies– Web presence– Online transactions– Delivery of professional services via the Internet

New Risks– Cyber-extortion– Network security breaches– Litigation– Loss of “intangible” information

Dependence on third party service providers

The Problem 85% of Companies report at least one Computer

Security Breaches last year 90% report Vandalism attacks 78% report Denial of Service attacks 64% Acknowledged financial losses due to these

attacks Average loss: $2,000,000

– Melissa = $80 million total– Denial of Service (Mafia Boy) = $1.2 billion– Love Bug - $10 billion

Statistical data provided by CSI/FBI 2001 report

The Computer Attack Risks

Loss or damage to Data Legal Liability to Others Loss or damage to Reputation Loss of Market capitalization and resulting

Shareholder lawsuits

Foundations

Managing risk includes the following components:– Accept – Mitigate – Transfer a portion of the risk to an insurance

underwriter

Electronic Commerce: A Paradigm ShiftTraditional Commerce Centralized systems

in glass house Economy of scale Managed risk Security says NO

Electronic Commerce Distributed systems

everywhere Economy of

dispersion Distributed risk Security is an

enabler

Business Drivers for Security

The effect of the Internet on banking and financial services

Movement from information “silos” to information integration

Holistic view of risk management Increasing global regulatory oversight

– Effect of GLBA

– Increasingly proactive regulatory agencies and audits

More pervasive and complex technologies

The Four Foundations of Protection

People– Board and management commitment, dedicated technical

personnel, crisis management team all in place and active!

Process– Enterprise ISO7799 ready, on-going management, employee

education and regular training, patch management.

Technology– Monitoring/log review, DMZ zones, firewall, anti-virus

software, intrusion detection systems, remote access two factor authentication, audit trails.

11

Security should be at the table whenever the technology or the

business strategy changes, whether the technology is managed in-house

or it is outsourced to third parties

The Overriding Objective

People Success Factors

1. Set up the right organization

Organizational Placement of IT Security Report separately from IT (Audit, Security,

Legal, Finance) Report directly to CIO/Head of Technology Report into CTO/Operations Part time function Split function

Roles and Responsibilities

Set policy/standards/guidance Act as internal consultant Perform system/security operations Provide oversight over outsourced/third

party technology providers Conduct/manage assessments and audits

Ownership

What to centralize:– Policy, standards, guidance– Test and validation of security– Cross-enterprise coordination– System-wide administration

What to decentralize:– Accountability – Risk acceptance– User access administration

People Success Factors

1. Set up the right organization

2. Get good people and train them adequately

Security Must Add Value

Facilitate, don’t obfuscate Be a perpetual student Provide solutions to business needs Communicate, communicate, communicate Be an agent of change Focus on operational excellence Treat risk as part of the business equation Clearly articulate what is expected

What Is the Scope?

Make security enterprise-wide… and coordinated with all business units

Focus early in the product/software life cycle Enlist allies:

– Business units

– Legal

– Operations

– Risk management

Earn your budget!

Preach Security Awareness

Educated management Understand risk

– To the enterprise– To the given business– To the individual

Application of security standards– In the software development life cycle– In the management of platforms

People Success Factors

1. Set up the right organization

2. Get the good people and train them adequately

3. Get management commitment

Articulate Risk in Business Terms Value of the asset Probability of a loss Likely cost over time

Pro

bab

ility

of

Occ

urr

ence

Value of Fraud0

Control Analogy: ATM versus Internet

Known and limited number of customer entry points

Two-factor authentication required (card plus PIN)

Camera recording all activity

Limited amount of cash available for withdrawal

Full audit trail of all activity

Physical limits to bulk fraud

Customer cannot stop an initiated transaction

Settlement and problem resolution processes in place

Customer has receipt to verify transaction

Internet

No

No

No

Maybe

Maybe

No

No

Maybe

Maybe

ATM

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Management Involvement

Top-level steering committee Task force Advisory board Reporting key performance indicators Reporting incidents Compliance checking

Process Success Factors

1. Put policy and standards in place

Assess current security state

Update policies

Develop and document"baseline" security standard

Translate standards intosecurity guidelines

Implement guidelineson systems

Ensure compliance with standards

Security Life Cycle Steps

Policy Standards Guidelines Procedures Practice

Top-level Policy

Broad statement of intent Sets the expectations for compliance Must acknowledge individual accountability Culture-dependent Must cover appropriate use Must be enforced

Policy Standards Guidelines Procedures Practice

Standards

Describe what to do, not how to do it Explain the application of policy Cover all elements of information security Use existing models (I4 & ISF) Provide the cornerstone for compliance

Policy Standards Guidelines Procedures Practice

Guidelines

Tell how to meet standards Are platform- or technology-specific Provide examples and configuration

recommendations Must be kept up to date

Process Success Factors1. Put policy and standards in place

2. Build a robust program

Desired State of Security Desired state of security: The level of security controls

needs to correspond to the value/sensitivity of the underlying information asset: “risk-based”

Security must:– Be incorporated into the development process

– Be part of the overall architecture

– Be part of the project management and implementation process

– Be part of system administrators’ and network planners’ job function

– Keep current with technologies because they evolve rapidly. What worked yesterday may not be valuable today (digital certificates, application proxy firewalls, biometrics, IDS)

Process Success Factors1. Put policy and standards in place

2. Build a robust program

3. Track metrics for accountability

Platform Compliance

Security Awareness

Security Awareness Survey Results

02468

10

Jan

Feb

Mar Ap

r

May Jun Jul

Aug

Sep

Oct

Nov

Dec

Month

Ave

rage

Sco

re

on S

cale

of 1

- 10

Score Goal

Operational Statistics

Technology Success Factors

1. Protect the perimeter

Perimeter Control

Firewall technology in place to protect Concept of a DMZ Intrusion Detection

– Network based– Host based

Standardized system configuration

Hosts(system

of record)

MiddlewareCall Center

Internet Web Servers

Kiosks

Home Phone

PFM

ATM Nets

Tandem

PFMNetwork

VendorsVRU

Bank Systems Vendors

AOL

Third Party

Middleware

Technology Success Factors

1. Protect the perimeter

2. Provide consistent security services

Consistent Security Services

Remote access authentication and authorization– Remote dial in access– Internet access– Business to business links

System management– Lockdown of access– File protection– Security patches

Technology Success Factors

1. Protect the perimeter

2. Provide consistent security services

3. Capture audit data

Audit Trails

What to capture– All access to systems– All intrusion attempts– Financial transactions– Access to sensitive data

Uses– Digital forensics– Monitoring of security– Improving performance

Information Security as the Foundation for Electronic Commerce

The people are the critical components, but they must be supported by management and trained

The process starts with the policy, and concludes with implementation

The technology must be put in place to manage and enforce security

Management commitment is not difficult… if Metrics: If you can’t measure it, you can’t control it Information security bridges the business and the

technology

The FutureIn the future, there’ll be just two kinds of banks —the ones on the Internet

and the ones who never saw it coming.