Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Slides:

Advertisements

Similar presentations

Roadmap for Sourcing Decision Review Board (DRB)

Advertisements

Course: e-Governance Project Lifecycle Day 1

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

ASIS International Security Conference Financial Advisory & Litigation Consulting Services February 5-7, 2007 Raffles City Convention Center, Singapore.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

The State of Security Management By Jim Reavis January 2003.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

ISS IT Assessment Framework

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Computer Security: Principles and Practice

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.

Lessons Learned in Smart Grid Cyber Security

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

“Mitigating Offshoring Risks in a Global Business Environment“

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

The Challenge of IT-Business Alignment

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Chapter 6 of the Executive Guide manual Technology.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

+ Regulation and Compliance Summary “ Making Great Ideas Become Reality”

10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Swedish Risk Management System Internal management and control Aiming to Transport Administration with reasonable certainty to.

CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.

Business Continuity Planning 101

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Patch Management Patch Management Best Practices

Agenda Control systems defined

Identify the Risk of Not Doing BA

I have many checklists: how do I get started with cyber security?

Office 365 Security Assessment Workshop

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cyber Risk & Cyber Insurance - Overview

AMI Security Roadmap April 13, 2007.

GRC - A Strategic Approach

Data Governance & Management Skills and Experience

Microsoft Data Insights Summit

Albeado - Enabling Smart Energy

Presentation transcript:

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information Risk/Security Track Presented by: George G. McBride, CISSP, CISM Aon Consulting

1 Complexity: The root of evil! Complexity: Huge manuals Certifications required to utilize/purchase Undocumented features Staffing issues Updates and Patches and Hot-Fixes and Service Packs and upgrades! Changing technology Complex DMZs And many more!

2 Information Technology Security Challenges Enterprises are globally connected and information-driven Extended enterprises include business partners, outsourcing providers, telecommuters, clients, etc Network & technology dependency has created critical risk exposures that are becoming more difficult to manage External/internal threats to information assets are rapidly growing and changing Regulatory requirements are increasing in scope and complexity Technologies are continuously emerging and converging Customers demand high-level of security/privacy for their data. Over 5 exabytes of total new information were produced and stored in Five exabytes is about equal to 500,000 Libraries of Congress. (Report by UC,Berkeley) Interesting Fact

3 Data Everywhere

4 Information Security and Risk Services We provide a comprehensive approach to information security risk management issues —A Return on Security Investment to enable intelligent risk management decisions —A holistic approach in managing information security risk —Partnering with clients throughout the information security risk management life cycle —Working with technology vendors and insurance partners to negotiate the best possible rates for risk mitigation or risk financing —Formal methodology to assess risk Repeatable, documented, and evolving The Aon Difference

5 What is the solution? Information security risk management should: —Align with business objectives —Integrate people, process — and technology —Focus on the business impact of information loss —Be based on leading practices and standards —Architected to enable multiple risk mitigation Threats Opportunity Motivation Capability Vulnerabilities Technology Processes People Potential Consequences - IT Disruption - Financial Loss - Litigation - Damaged Brand - Regulatory fine - Revenue loss

6 Risk-based Security Strategy 1.Identify the threats to specific business areas 2.Assess the level of vulnerability 3.Gauge the potential impact 4.Develop security option path Transfer Control Manage Security Options Risk Framework (Example)

7 Benefits of a Risk-based Integrated Approach When utilizing a risk based, integrated approach the organization can: —Transfer risks to third parties or purchase insurance —Control risk through the implementation of security controls —Monitor risks that the organization chooses to accept —Make the right security investments to address the most critical assets within the organization —Ensure effectiveness of the most critical element of security---people —Address regulatory compliance efficiently and cost-effectively

8 Integrated with the Organization Information security is not just a “technology” issue Human elements and processes are also essential: —People: The #1 cause of security breaches. People issues include: policies & procedures, technology management, security awareness, incident response, security organization —Process: How work is conducted has a huge impact on how security should be designed and deployed--it balances productivity with security —Technology: Focus has traditionally been on external threats and perimeter security technology e.g. firewalls, intrusion monitoring, network security, etc. Technology can also help with internal issues as well e.g. Role Based Access Control Definition: Role Based Access Control (RBAC) A method of regulating access to computer or network resources based on the roles of individual users within an enterprise. By definition RBAC incorporates elements of People, Processes and Technologies

9 Information Security and Risk Services Deliverables Tools Approach Activities Phase Executive summary and detailed report, including: Significant findings Benchmark/scoring Continuous risk improvement process Commercial and proprietary tools Assess Identify and analyze information security risk profile Facilitated sessions Documentation review Data collection Testing and validation Valuation exercises Analyze risk/security gaps Document improvement recommendations Conduct strategic security planning Vendor evaluation and selection Information Security Roadmap Solution architecture Prioritized objectives Implementation plan Timeline Success criteria Team structure Industry best practices and standards framework Plan Security solutions based on: Regulatory compliance Industry standards and best practices Objectives that are important to the organization Security technology center Project management and reporting tools Solution design and architecture Program/project management Solution deployment Implement

10 Information Security and Risk Services Consulting Assessment Information Security Risk Assessment & Analysis Regulatory Compliance Reviews Security Controls Gap Analysis Network & System Vulnerability Assessment Application Security Assessment PBX Assessment Penetration Testing Wireless Security Identity and Access Readiness Assessment Technology and Vendor Selection Assessment Social Engineering Physical and Life Safety Security Policy Review Security Management Incident Response/Forensics Investigation Asset Classification Network Security Architecture Security Awareness Program Information Security Program Management Disaster Recovery/Business Continuity Planning Secure Software Development Staff Augmentation General Security Consulting Litigation Readiness Programs

11 Information Security and Risk Services Firewall Implementation Wireless Networking Identity and Access Management Access Control Implementation Remote Access Directory Services Two Factor Authentication Single Sign-On Authentication Encryption Storage and Archiving Backup and Recovery Data Management Patch Management Asset Tracking/ Management Endpoint Security Content Security Security Policy Framework & Development Security Management Threat Management Security Event Management Anti-Virus Anti-Spam Intrusion Detection and Prevention Host Integrity

12 Industry Best Practices Even the professional services firms look to a 3 rd party to assess, manage, design, and implement their infrastructure Look for true vendor neutrality in your assessors Use a proven methodology to assess your infrastructure Understand your baseline: what are you comparing your IT infrastructure to? Develop quality metrics Know your risk tolerance

Contact Me George G. McBride Financial Advisory & Litigation Consulting Services Director, IT Security Consulting Risk Consulting Services Practice Office: Mobile: