Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Business Risk in the 21st Century

Published byἈντιόπη Ράγκος Modified over 5 years ago

Similar presentations

Presentation on theme: "Managing Business Risk in the 21st Century"— Presentation transcript:

1 Managing Business Risk in the 21st Century
* 07/16/96 Managing Business Risk in the 21st Century Mike Hager Enterprise Security Advisor FOR INTERNAL USE ONLY – DO NOT DISTRIBUTE *

2 Sometimes Things Do Go Wrong!

3 Threats Today Include A belief on the part of senior management that there are no serious threats directed at their company. Terrorist acts Natural disasters Criminal Acts Network Attacks Inside attacks Outside attacks Viruses/Malicious Code

4 The 10 Top Management Errors in Addressing Threats
* 07/16/96 10. Believe Information Security and Disaster Recovery are important issues, but believe they are important issues for someone else to handle. 09. Pretend the problem will go away if they simply ignore it. 08. Use Technology as a fix and not a solution. 07. Fail to realize the value of their information and organizational reputations. Believe that “it” will never happen to them! 5. Fail to understand the relationship between Information Security and Disaster Recovery and the business. *

5 The 10 Top Management Errors in Addressing Threats
04. Rely primarily on a FIREWALL. 03. Address Security and Disaster Recovery as an afterthought, “something we can add later”. 02. Look at Security and Disaster Recovery as an expense not an investment – Budgets are normally based on last years budget minus 15%. 01. Fail to fully design, develop and implement an Enterprise Security and Business Resumption Strategy for their Organization.

6 Information Security Strategy
What Does This Strategy Start With? It starts with knowing what to protect If you don’t know what to protect, how do you know how to protect it? Without knowing what to protect we end up either over protecting or under protecting our valuable, critical and sensitive information. Neither of which, “Is a Good Thing.”

7 Building An Information Security Strategy
Element I Companies must engage in sound business and security practices that afford critical and sensitive information adequate protection resulting in an acceptable level of risk against loss, improper use, compromise, or unauthorized alteration or modification.

8 Building An Information Security Strategy
Element II Protection programs must be flexible and capable of addressing all information protection needs in the ever changing business and technical environment.

9 Building An Information Security Strategy
Element III Protection programs must be focused on actual threats. Strategies must be developed that are based on sound business practices. Addresses the law of Probability vs. Possibility

10 Building An Information Security Strategy
Element IV Protection programs must ensure the confidentiality and integrity of critical systems and sensitive information, while ensuring its availability to those who need it to perform their assigned duties and tasks. Your program must also insure compliance with Federal and State Regulations:

11 Privacy Regulation Impact On your Business
New Federal and State regulations based on the GLBA and California SB1386, require that we adopt policies and procedures reasonably designed to: Insure the security and confidentiality of customer records and information. Protect against any anticipated threat or hazard to the security and integrity of customer records and information. Protect against unauthorized acts as to the use of customer records or information that could result in substantial harm or inconvenience to any customer.

12 Business Continuity/ Disaster Recovery

13

14 Disaster Recovery/Business Continuity
Have you recently conducted a Business Impact Analysis? Do you know what data is critical to your business survival? Have you fully defined a Recovery Time Objective (RTO)? Have you compared your RTO with your capabilities and addressed your gaps in meeting the RTO? Have you prepared Business Continuity Plans for each major business functions?

15 Disaster Recovery/Business Continuity
Do you have a strategy for backing up all your critical data? Are you critical backups stored off site? Do you have plans for the recovery of each critical system and application? How often to you test your recovery capability? Can you meet your Recovery Time Objective?

16 Protection Triad People Facilities Technology

17 Physical Security

18 Physical Security Physical Security addresses:
Protection of Facilities/Assets Protection of People/Employees Protection of Technology (i.e. Computers, printers, data centers etc.) Protection of hard copy Data and Information

19 Information/Computer Security

20 The Key Elements of an Enterprise Security Architecture?
Organization Development of Policies and procedures that are enforceable Security education and awareness (for all employees) Incident response Network protection strategy Ability to address future business needs

21 The Key Elements of an Enterprise Security Architecture?
Security is no longer just a technology issue - it is a business issue. We must readdress our security programs to where we do Security for the sake of the Business - not for the sake of Security.

22 Security Organization
Does your organization have a corporate level leader with: Adequate responsibility; Authority and; Sufficient numbers of technically qualified personnel to ensure effective design and implementation of your Information Security strategy and programs

23 Security Organization

24 Policies and Procedures
Do you have written security policies and procedures that have Senior Management “Buy-in” and are adopted by the business? Have they been implemented ? Are they monitored? Are they enforced? Have you educated all employees on their responsibilities? Do you have a system in place to constantly review these policies to keep them current?

25 Policies and Procedures
Recent “Infoweek” magazine survey indicated that 25% of all corporations they surveyed had written policy and that 36% of the respondents have no regular agenda for reviewing their security policies, 17% do so only once a year, and 5% never do so. Bottom Line: An unenforced, out of date policy is a useless policy.

26 Security Education and Awareness
What you don’t know can Hurt you! Has senior management been briefed on: Threats directed at your company Results of any risk/security evaluation Security Policies and Practices in place Have all employees been briefed on their responsibilities for protecting sensitive information and systems?

27 Security Education and Awareness
Do employees know who to call if they have security concerns? Are updated security policies and procedures communicated to all employees? Do you have documents that indicate employees commitment to follow the security rules? Do you educate contractors on their obligations?

28 Network Protection Strategy
Our Network Protection Strategy should take a layered approach. At a minimum it should include three layers of protection: The Gateway Layer - Answers the question,“Can I come in?” The Control Layer - Answers the question “Where can I go?” The Data Layer - Answers the question “What can I do?”

29 Network Protection Strategy
Layered Approach Gateway Layer Contol Layer Data Layer

30 Mapping Partner Solutions
Cumulative Business Impact Identity-Enabled Enterprise Provisioning Web services Application Self-service Federation CRM Portals Personalization Collaboration Authentication & Access Control Process automation via workflow De-provisioning Password management User account management Auditing and reporting Single/reduced sign-on Role-based access control (RBAC) Digital certificates Biometrics Smart Card/ Tokens Remote Access Intrusion Detection and Prevention Directory Infrastructure Directory Services Metadirectory Virtual Directory Delegated Administration IBM Directory Tivoli Risk Manager IBM Directory Integrator Tivoli Access Manager for e-Business and ISS Real Secure Tivoli Access Manager Tivoli Identity Manager Tivoli Privacy Manager

31 The Gateway Layer Answers the question “Can I come in?”
Allows you to address how access is gained to your networks: Firewalls Intrusion Detection/Prevention Systems Log Readers and Event Correlation Stronger methods of access control Digital certificates Tokens Biometrics

32 Gateway Layer – The Considerations
Remote Access such as VPN and Extranets User authentication management methods Do you rely solely on the “password” as your method of authentication to protect critical data and systems. Do you believe you are safe because you have a “firewall” Have you tested your password strength with a password crackers such as “l0pht Crack”? Keep in mind that the Gateway level protection does little to protect against the insider threat.

33 What is Needed to Complete the Gateway Layer
Firewalls Intrusion Detection/Intrusion Prevention - Network and Host based Tool to help eliminate reliance on “passwords” by implementing stronger authentication model VPNs Tools to addresses encryption of sensitive data during transmission Content Filtering and URL blocking tools for and Internet SPAM Filtering and Blocking tools

34 Benefits of Completing the Gateway Layer
Eliminates reliance on “passwords” as the only means of protection thus eliminating risk and liabilities. Remember if you know or can guess the password the answer to “Can I Come in is always YES” Sets the architectural foundation for future e-business. Provides foundation for secure access. Provides your company/organization with the ability to identify and react to all attacks directed at our networks from outside the company.

35 The Control Layer Answers the question, “Where can I go?” Does your security program identify the groups and roles for each employee? Do these roles identify exactly what each employee has and can have access to? Redesign your access control model to be one that is based on user groups and the roles your employees have within your organization. Implement tools that will allow you to effectively manage the “Role Based” access control model. Bottom Line: Do you really know who has access to your data, and can you control it.

36 Benefits of Completing the Control Layer
Provides you with the ability to manage access administration from a single tool. Allows you to quickly turn-on and turn-off access. Replaces your current traditional “paper trail” of access requests with fast and accurate electronic workflow approach. Can provide for provisioning of things other than computer access.

37 Benefits of Completing the Control Layer
Provides an audit trail and strong security by consolidating all access information into a single database. Provides you with the means to quickly set up access for new applications implemented by the company. Reduces number of calls to help desk by providing users with the ability to re-set their own passwords. Takes control of the management of access within your applications and networks. Increase productivity by eliminating all but a single password for the majority of users.

38 The Data Layer Answers the question, “What can I do?”
Do you have the methodology to identify and restrict the abilities of each user: Can all users read all data? Can all users modify all data? Can all users delete all data? Can you restrict access based on a users role? Have you considered looking at Digital Rights Management? Have you considered developing an encryption strategy to protect the most sensitive data?

39 Incident Response All companies/organizations can be attacked!
Having the ability to: Identify – can you identify that you are being attacked Contain – not letting the attack spread or stopping the attacker from traversing your network Eradicate the attack - having the ability to terminate the attackers access can limit the amount of damage that can be caused. These are key elements and are essential in surviving an attack.

40 More Security Doesn’t Always Make You More Secure…
Remember More Security Doesn’t Always Make You More Secure… Better Planning and Management Does!

41 Managing the Risks The world has changed dramatically since September 11th. It is critical that we take a proactive approach in mitigating our Business risks. This is not an easy job. It requires an approach that addresses all risks not just a few. It requires support at all levels within the company.

42 When it comes to addressing our business risks
Closing Thoughts When it comes to addressing our business risks We never plan to fail We just fail to plan

43 Unisys would like to thank all of your for your attendance today?
Questions? Unisys would like to thank all of your for your attendance today? Thank You! David “Mike” Hager Unisys Corporation

Download ppt "Managing Business Risk in the 21st Century"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 12 Network Security.

Chapter 12 Network Security.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data.

Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data.

Similar presentations

Ads by Google