© netsurity 2005. presented by phil cracknell, fbcs, cissp cto – netsurity...
TRANSCRIPT
© netSurity 2005
© netSurity 2005
Presented byPhil Cracknell, FBCS, CISSP
CTO – [email protected] – http://www.netSurity.com
© netSurity 2005
IntroductionWho am i?What am I going to talk about?Where’s the sell? (Everyone is selling something?)
Why should I listen?Why so fast? (25 mins including a demo!)
© netSurity 2005
The real problems with risk management
are…The peopleThe toolsThe processThe follow-upThe motive
The management
The timeThe effortThe outcomeThe paperwork!
© netSurity 2005
“In America any boy may become President and I suppose it's just one of the risks he takes. - Adlai E. Stevenson Jr.”
Background One of the key areas in which technology and
product offerings has lagged seriously behind is that of risk management
Vulnerability assessment tools are common, but are generally IT-centric and offer nothing in terms of assistance in assessing risk
Combine this with the ineffective way in which most businesses conduct risk assessments and you have a potentially deadly situation!
© netSurity 2005
“If we don't succeed, we run the risk of failure. - Dan Quayle”
Changing world
Recent changes in legislation combined with an increased requirement for regulatory compliance has found businesses being forced to assess their risks
Begrudgingly, these assessments produce actions and the need to manage the risks they have discovered
Instead of consolidating this effort to reduce the demands when the next piece of legislation asks tough questions businesses continue to ‘knee-jerk’
© netSurity 2005
“Take calculated risks. That is quite different from being rash. - George S. Patton”
What is risk?Risk is a danger…
A factor, thing, element or event which may cause certain or uncertain loss, harm, danger, hazard or other menace
“Danger; (exposure to) the possibility of loss, injury or other adverse circumstance” - Oxford English Dictionary
Risk is also an opportunity… …to make money, save money, save time, save effort… This is WHY we have to manage risk The world would not turn without certain people/entities
being allowed to let the wheel spin without guarding against the worst case
Here are two important factors when considering risk;
Is the likelihood of a given threat occurring reasonable?
Would the impact of the threat be significant?
© netSurity 2005
“To win without risk is to triumph without glory. - Pierre Corneille”
What is risk?
© netSurity 2005
“Be wary of the man who urges an action in which he himself incurs no risk. - Joaquin Setanti”
Know WHAT to protect
Until you understand what assets there are to protect you can not effectively manage any of the risks
Common areas of overlap exist (i.e. physical/logical security) and can introduce gaps where assets are not included in any assessments
Assumptions and estimates are still common forms of asset valuation
© netSurity 2005
“The policy of being too cautious is the greatest risk of all. - Jawaharlal Nehru”
The common options to managing risk Ignore it/Accept it
Insurance against it
Transfer it
Strengthen your defences against it
Avoid it (By changing some of the variables)
© netSurity 2005
“In the long run, we get no more than we have been willing to risk giving. - Sheldon Kopp”
Risk in isolation Not conducting a FULL risk assessment in any
organisation is the worst thing you can do (Physical, Logical, Economic, Business, Geographic, Political, Cultural, Personnel etc.)
Having risks present in such disparate domains can introduce new issues;
Which is more important? Which do you do first? Who co-ordinates mitigation across the domains?
© netSurity 2005
“Progress always involves risk; you can't steal second base and keep your foot on first base. - Frederick Wilcox”
The problem with IT risk management
IT risk management is an element of your overall company risk management process
It is so often approached quite differently to ‘corporate’ risk management; IT and computer risks are more commonly addressed quickly with technology fixes Assumptions are more often made Highly important peripheral indirect risks are ignored Conducted at the wrong time (in the project lifecycle) …by the wrong people (not independent)
© netSurity 2005
“With love, you should go ahead and take the risk of getting hurt... because love is an amazing feeling. - Britney Spears”
How does iQSM help me manage risk?
iQSM was seven years in the making (planning not coding!)
A result of the experiences gained from hundreds of audits, penetration tests, risk assessments and other security assignments conducted by netSurity principals
Extensive client and industry discussions to capture requirements and understand where such a tool could be most beneficial
© netSurity 2005
iQSM is a comprehensive risk management suite iQSM helps businesses to understand and assess
ALL the areas in which they may be at risk iQSM is a process that organisations can go
through that will enable them to: Understand the security requirements of their organisation.
Audit and compare their security implementation with their requirements Easily manage security audits and valuable security information Understand what security improvements must be achieved Gain control of security policies Keep up to date with current security requirements
“A lot of people approach risk as if it's the enemy when it's really fortune's accomplice. – Sting”
What is iQSM?
© netSurity 2005
There are many reasons why an organisation should undertake a quality process to examine and manage their risks;
To ensure that the organisations risks are fully understood and mitigated.
To get control of security for financial or managerial reasons. To provide assurances to customers, investors, directors and
staff. To ensure the organisation meets its regulatory
requirements. To ensure that appropriate security is applied across the
organisation.
What are the benefits of iQSM?
© netSurity 2005
The iQSM process is conducted through five phased using the iQSM IDEAS process model, which is similar to the ITIL IDEAL model for change management.
The phases are: Initiate Define Execute Analyse Secure
The iQSM Process
© netSurity 2005
The iQSM Process Model
© netSurity 2005
iQSM is a lifecycle for quality management of your IT Security and not a one off process.
The first time the iQSM process is undertaken will be a new process. Following that there may be several reasons to review the IT security of the organisation or a particular part of it. These could be: The organisation or business has changed in some way indicating new risks may be faced. A review has to be undertaken after a period of time e.g. annually, six monthly. A security update from Threat Horizon
Starting the iQSM process
© netSurity 2005
iQSM Features Threat Horizon – Daily updates Policy Generator – Re-use of answers ‘What-if’ scenario generator – ROI/ROSI SIP/DNA customisation - Flexibility Question customisation - Flexibility Question filtering - Efficiency Audit consolidation – Enterprise view Audit scheduling/resource management - Efficiency iResponse (Coming soon) – Automation of response
plan iValidate (Coming soon) – Validation of technical
data
© netSurity 2005
iQSM Technical Specification iQSM is fully developed in C# on the ASP .NET
framework iQSM can integrate with Active Directory for user
administration and permissions iQSM uses a MS SQL database The data tables are accessible only via stored
procedures which are encrypted There is a comprehensive licensing mechanism to
prevent misuse of the system All access is via a fully hashed password and
username Comprehensive logs of activity are available
© netSurity 2005
Using iQSM
iQSM comprises of the following components; an audit dashboard a reporting tool an administration interface a question editor a live update facility (Threat Horizon)
© netSurity 2005
The Audit Session
© netSurity 2005
The Audit Session
Evidence or further supportive information can be uploaded/supplied for each question. This can be used to detail why a particular answer was given
Bookmarks allow a user to return to an audit at anytime
Answers can be marked as ‘uncertain’ for later review
© netSurity 2005
Reporting
Reports can be generated to show a variety of information;
DNA specific SIP reports Audit comparison (Splodge reports)
© netSurity 2005
Reporting
© netSurity 2005
Presented byPhil Cracknell, FBCS, CISSP
CTO – [email protected] – http://www.netSurity.com
Thank you!Questions/Demonstration
© netSurity 2005