presented by: peter s. browne principal manager peter browne & associates, llc aba webcast...
TRANSCRIPT
Presented by:Presented by:
Peter S. Browne Peter S. Browne Principal ManagerPrincipal Manager
Peter Browne & Associates, LLCPeter Browne & Associates, LLC
ABA WEBCAST BRIEFING
Foundations of Information Security
Projected B2B eCommerce Growth
$0
$1,000
$2,000
$3,000
$4,000
$5,000
$6,000
$7,000
$8,000
2001 2002 2003 2004
In B
illi
on
s
GartnerGartner7.3 Trillion7.3 Trillion
OvumOvum1.4 Trillion1.4 Trillion
ForresterForrester6.3 Trillion6.3 Trillion
Goldman3.2 Trillion3.2 Trillion
emarketeremarketer2.8 Trillion2.8 Trillion
2004 Predictions2004 Predictions
Internet Users Worldwide
1438
6997
132170
228
320
0
50
100
150
200
250
300
350
1995 1996 1997 1998 1999 2000 2001 2002
(Millions)
Source: IDC
Risk Management In Perspective - Drivers
New Technologies– Web presence– Online transactions– Delivery of professional services via the Internet
New Risks– Cyber-extortion– Network security breaches– Litigation– Loss of “intangible” information
Dependence on third party service providers
The Problem 85% of Companies report at least one Computer
Security Breaches last year 90% report Vandalism attacks 78% report Denial of Service attacks 64% Acknowledged financial losses due to these
attacks Average loss: $2,000,000
– Melissa = $80 million total– Denial of Service (Mafia Boy) = $1.2 billion– Love Bug - $10 billion
Statistical data provided by CSI/FBI 2001 report
The Computer Attack Risks
Loss or damage to Data Legal Liability to Others Loss or damage to Reputation Loss of Market capitalization and resulting
Shareholder lawsuits
Foundations
Managing risk includes the following components:– Accept – Mitigate – Transfer a portion of the risk to an insurance
underwriter
Electronic Commerce: A Paradigm ShiftTraditional Commerce Centralized systems
in glass house Economy of scale Managed risk Security says NO
Electronic Commerce Distributed systems
everywhere Economy of
dispersion Distributed risk Security is an
enabler
Business Drivers for Security
The effect of the Internet on banking and financial services
Movement from information “silos” to information integration
Holistic view of risk management Increasing global regulatory oversight
– Effect of GLBA
– Increasingly proactive regulatory agencies and audits
More pervasive and complex technologies
The Four Foundations of Protection
People– Board and management commitment, dedicated technical
personnel, crisis management team all in place and active!
Process– Enterprise ISO7799 ready, on-going management, employee
education and regular training, patch management.
Technology– Monitoring/log review, DMZ zones, firewall, anti-virus
software, intrusion detection systems, remote access two factor authentication, audit trails.
11
Security should be at the table whenever the technology or the
business strategy changes, whether the technology is managed in-house
or it is outsourced to third parties
The Overriding Objective
People Success Factors
1. Set up the right organization
Organizational Placement of IT Security Report separately from IT (Audit, Security,
Legal, Finance) Report directly to CIO/Head of Technology Report into CTO/Operations Part time function Split function
Roles and Responsibilities
Set policy/standards/guidance Act as internal consultant Perform system/security operations Provide oversight over outsourced/third
party technology providers Conduct/manage assessments and audits
Ownership
What to centralize:– Policy, standards, guidance– Test and validation of security– Cross-enterprise coordination– System-wide administration
What to decentralize:– Accountability – Risk acceptance– User access administration
People Success Factors
1. Set up the right organization
2. Get good people and train them adequately
Security Must Add Value
Facilitate, don’t obfuscate Be a perpetual student Provide solutions to business needs Communicate, communicate, communicate Be an agent of change Focus on operational excellence Treat risk as part of the business equation Clearly articulate what is expected
What Is the Scope?
Make security enterprise-wide… and coordinated with all business units
Focus early in the product/software life cycle Enlist allies:
– Business units
– Legal
– Operations
– Risk management
Earn your budget!
Preach Security Awareness
Educated management Understand risk
– To the enterprise– To the given business– To the individual
Application of security standards– In the software development life cycle– In the management of platforms
People Success Factors
1. Set up the right organization
2. Get the good people and train them adequately
3. Get management commitment
Articulate Risk in Business Terms Value of the asset Probability of a loss Likely cost over time
Pro
bab
ility
of
Occ
urr
ence
Value of Fraud0
Control Analogy: ATM versus Internet
Known and limited number of customer entry points
Two-factor authentication required (card plus PIN)
Camera recording all activity
Limited amount of cash available for withdrawal
Full audit trail of all activity
Physical limits to bulk fraud
Customer cannot stop an initiated transaction
Settlement and problem resolution processes in place
Customer has receipt to verify transaction
Internet
No
No
No
Maybe
Maybe
No
No
Maybe
Maybe
ATM
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Management Involvement
Top-level steering committee Task force Advisory board Reporting key performance indicators Reporting incidents Compliance checking
Process Success Factors
1. Put policy and standards in place
Assess current security state
Update policies
Develop and document"baseline" security standard
Translate standards intosecurity guidelines
Implement guidelineson systems
Ensure compliance with standards
Security Life Cycle Steps
Policy Standards Guidelines Procedures Practice
Top-level Policy
Broad statement of intent Sets the expectations for compliance Must acknowledge individual accountability Culture-dependent Must cover appropriate use Must be enforced
Policy Standards Guidelines Procedures Practice
Standards
Describe what to do, not how to do it Explain the application of policy Cover all elements of information security Use existing models (I4 & ISF) Provide the cornerstone for compliance
Policy Standards Guidelines Procedures Practice
Guidelines
Tell how to meet standards Are platform- or technology-specific Provide examples and configuration
recommendations Must be kept up to date
Process Success Factors1. Put policy and standards in place
2. Build a robust program
Desired State of Security Desired state of security: The level of security controls
needs to correspond to the value/sensitivity of the underlying information asset: “risk-based”
Security must:– Be incorporated into the development process
– Be part of the overall architecture
– Be part of the project management and implementation process
– Be part of system administrators’ and network planners’ job function
– Keep current with technologies because they evolve rapidly. What worked yesterday may not be valuable today (digital certificates, application proxy firewalls, biometrics, IDS)
Process Success Factors1. Put policy and standards in place
2. Build a robust program
3. Track metrics for accountability
Platform Compliance
Security Awareness
Security Awareness Survey Results
02468
10
Jan
Feb
Mar Ap
r
May Jun Jul
Aug
Sep
Oct
Nov
Dec
Month
Ave
rage
Sco
re
on S
cale
of 1
- 10
Score Goal
Operational Statistics
Technology Success Factors
1. Protect the perimeter
Perimeter Control
Firewall technology in place to protect Concept of a DMZ Intrusion Detection
– Network based– Host based
Standardized system configuration
Hosts(system
of record)
MiddlewareCall Center
Internet Web Servers
Kiosks
Home Phone
PFM
ATM Nets
Tandem
PFMNetwork
VendorsVRU
Bank Systems Vendors
AOL
Third Party
Middleware
Technology Success Factors
1. Protect the perimeter
2. Provide consistent security services
Consistent Security Services
Remote access authentication and authorization– Remote dial in access– Internet access– Business to business links
System management– Lockdown of access– File protection– Security patches
Technology Success Factors
1. Protect the perimeter
2. Provide consistent security services
3. Capture audit data
Audit Trails
What to capture– All access to systems– All intrusion attempts– Financial transactions– Access to sensitive data
Uses– Digital forensics– Monitoring of security– Improving performance
Information Security as the Foundation for Electronic Commerce
The people are the critical components, but they must be supported by management and trained
The process starts with the policy, and concludes with implementation
The technology must be put in place to manage and enforce security
Management commitment is not difficult… if Metrics: If you can’t measure it, you can’t control it Information security bridges the business and the
technology
The FutureIn the future, there’ll be just two kinds of banks —the ones on the Internet
and the ones who never saw it coming.