e-id: are you (proven) in control? information risk management dennis van ham
Post on 26-Mar-2015
216 Views
Preview:
TRANSCRIPT
e-ID: are you (proven) in control?
INFORMATION RISK MANAGEMENT
DENNIS VAN HAM
2© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Introduction and setting the scene
Identity: who are you? And how can we be sure it’s you?
Access: what are you allowed to do?
Business: protection of information is important but please don’t bother me;
Technology: lots of it available but how reliable is it really?
Audit and compliance management: proven in control?
3© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Impact on people – changing threats and fast
Man-in-the-Middle Attacks
Pharming
And More …Trojan Horses
Botnets
Spyware
Malware
Keylogging
“Classic” Phishing
2006200520042003
4© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
People are different and have many e-ID’s
Hip, 20-something male
Thinks he’s immune to online fraud
Freely gives away his personal information
Has a firewall and antivirus
Clicks on any link
His motto: I grew up with the Internet. I’m not afraid of it.
Tentative mother of grown children
Learning to navigate the Net
Considering banking online, but hasn’t taken the leap yet
Afraid of hackers from news story about ID theft victims
Her motto: The Web is complicated! Better to be safe than sorry.
Young, traveling businessman with a family
Juggles 30 passwords
Uses two-factor authentication at work
Wonders if its available for his personal accounts
His motto: Internet security is key, but I can’t carry one more thing
Source: RSA Security
5© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Impact on business
ComplianceSOX, HIPAA, Privacy, BASEL II, FDIC, etc
Corporate or IT GovernanceLack of clear strategy;Timely implementation of policies or resolutions;Policy enforcement and reporting;
SecurityProtection of intellectual property;Rising administration and helpdesk costs;Complex technologies and application infrastructure.
6© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
IT-security survey: six important signals
Technology remains very dynamic, proper risk analysis is key but not applied on a large-scale;
Insufficient expertise most important motive for outsourcing IT-security;
Hacking, viruses and worms significant threats, companies have little insight into the quality of their protection;
Authorisation management is structured ineffectively and inefficiently;
Continuity management is often organised on paper but it is usually not certain whether it also works well in practice;
The growing use of mobile devices requires attention.
7© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Compliance – but not a goal in itself
8© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Complex and getting management attention is difficult
9© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Reality bites – ‘identity and access’ information everywhere
10© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
How does an auditor think?
11© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Identity & Access Management – in a nutshell
Significant Integration Effort Required
APIs and protocolsFrameworks
OS and infrastructure
Proc
essin
g
Netw
orkin
g
Stor
age
Secu
rity
J2SE/J2EE
APIs and protocolsFrameworks
OS and infrastructure
Proc
essin
g
Netw
orkin
g
Stor
age
Secu
rity
Windows/.NET
APIs and protocolsFrameworks
OS and infrastructure
Proc
essin
g
Netw
orkin
g
Stor
age
Secu
rity
UNIX/LAMP
Authentication Authorization Provisioning
AuditManagement
Meta-Directory
Cross Platform
Federation
12© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
More information?
Dennis van Ham Consultant
KPMG Information Risk Management Burgemeester Rijnderslaan 20, 1185 MC Amstelveen Postbus 74105, 1070 BC Amsterdam Telefoon +31(0)20 6568103, Telefax +31 (0)20 6568388 E-mail: vanham.dennis@kpmg.nl Internet: www.kpmg.nl/irm
KPMG Information Risk Management
top related