Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social.

Published byLeo Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social."— Presentation transcript:

1 Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social Media

2 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Agenda n Implementing a Comprehensive Security Program n Conducting Security Risk Assessments – Best Practices n Security Attack Trends and Prevention Strategies n Emerging Technologies and Social Media – Security Threats and Countermeasures

3 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Implementing a Comprehensive Security Program

4 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Information Security Program n It is an initiative which serves to ensure that information assets are properly protected.

5 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Reasons for a Security Program n Minimize costly risks n Provide a structure manner to address information security n Align information security initiatives with business strategies, goals and objectives – IT Governance n Comply with laws, regulations and industry standards

6 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Every organization’s information security program should be guided by the following: Information Security Program n Plans for achieving information security goals and objectives n Clear and comprehensive mission, goals, and objectives n Performance measures to continuously monitor the efficiency and effectiveness of identified goals and objectives

7 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL An information security program should cover: n Security function n Security risk assessment n Security plans n Security policies n Security standards n Security procedures Information Security Program

8 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL An information security program should cover: n Information assets ownership n Classification of information assets n Information security laws, regulations and industry standards n Logical security n Physical security n Disaster recovery and contingency planning Information Security Program

9 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL An information security program should cover: n Auditing and monitoring n Security incident response n Security awareness and training n Human Resources n Legal n Help Desk \ user support Information Security Program

10 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL An information security program should cover: n System life cycle management n External service providers n Security reviews Information Security Program

11 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Security Program Life Cycle ISO 27001:2005

12 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Security Program Life Cycle Organizations should follow a life cycle approach in developing, implementing and maintaining their information security program. n Establish ISMS n Implement and Operate ISMS n Monitor and Review ISMS n Maintain and Improve ISMS This approach ensures that security is an on-going and continually improving process.

13 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Who Directs This Initiative? n Board of Directors n Top Management n Information Security Committee

14 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL How Does a Security Program Affects My Job? n Information security is part of every employee’s responsibility. n Security policies, standards and procedures affect everyone – for example: – Each time someone enters the building – Each time a password is used – Each time customer information is viewed or edited

15 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Ongoing Monitoring n An effective information security program requires constant review. n Organizations should monitor the status of their programs to ensure that: – Ongoing information security activities are providing appropriate support to the organization's mission. – Policies, standards and procedures are current and aligned with evolving technologies. – Security controls are accomplishing their intended purpose.

16 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Conducting Security Risk Assessments – Best Practices

17 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Security Risk Assessment Phase II – System Inventory and Classification of Assets Phase III – Threat Analysis Phase IV – Security Controls Testing Phase V – Implementation of Security Controls Phase I – Project Initialization Phase VI – Monitor Security Controls

18 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase I – Project Initialization n Define the objective n Define the scope n Define the method required (e.g., Qualitative, Quantitative) n Define the personnel required n Define the approach to gather the information n Define the deliverables per each phase

19 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase II – System Inventory and Classification of Assets n Document the organization information assets – Consider all departments and business processes – Consider information assets in physical and logical format n Classify the information assets: – Critical – the organization cannot operate without this information asset. – Essential – the organization needs the information asset at some point in time. – Normal – the organization can operate without this information asset for an extended period of time.

20 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase II – System Inventory and Classification of Assets n Deliverable – Phase II Asset Description Classification (C/E/N) Item No. Asset Name OtherOwnerLocation 1 Payroll 2000 Payroll Application E Human Resources Server - A

21 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase III – Threat Analysis n Identify security threats n Identify security vulnerabilities n Identify existing security controls to reduce the risk n Determine the likelihood of occurrence n Determine the severity of impact n Determine the risk level

22 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase III – Threat Analysis n Identify different types of security threats – A starting point would be to consider those threats that might actually impact an enterprise n n Unauthorized access n n Denial of Service n n Social Engineering n n Theft n n Hurricane n n Fire n n Pharming n n Phishing n n Virus/Worms

23 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase III – Threat Analysis n Identify different types of security vulnerabilities – Identify vulnerabilities associated with each threat to produce a threat/vulnerability pair. Vulnerabilities may be associated with either a single or multiple threats n n There is not a disaster recovery plan n n Flammable materials store in the Data Centre n n Lack of fire extinguishers n n User-id and passwords by default n n Operating System without the last patch n n Data center’s door does not have lock n n TFTP service enabled in the Unix hosts n n Shared folder with Everyone full control

24 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase III – Threat Analysis n Identify existing controls to reduce the risk – Identify existing controls that reduce:  The likelihood or probability of a threat exploiting an identified security vulnerability.  The magnitude of impact of the exploited vulnerability on the system.

25 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase III – Threat Analysis n Deliverable phase III Vulnerability Name Risk Description Item No. Threat Name Impact Severity Risk Level Existing Controls Likelihood of Occurrence 1 1 Fire Disaster Recovery plan There is a DRP in place Lack of fire extinguishers There are not fire extinguishers Low Medium ModerateDamaging High

26 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase IV – Security Control Testing n Tests the security controls / safeguards that are in place n Consider performing different types of security tests n Determine if the control exists and if the control works effectively and consistently n Determine the residual risk n Determine if additional security controls are required n Develop an action plan to remediate security issues noted

27 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase IV – Security Control Testing n Deliverable – Phase IV Recommend Safeguard Description Item No. Residual Likelihood of Occurrence The item number is used to reference the vulnerability defined in the Phase III deliverable Residual Impact Severity Residual Risk Level 1 Install fire extinguishers LowDamagingModerate

28 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase V – Implementation of Security Controls n Prioritize implementation of security controls:  Based on risk  By business area  By technical area

29 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Phase VI – Monitoring Security Controls n Implement mechanisms to monitor security controls. This phase can include:  Review of system and application logs  Review of system and application exception reports  Different types of audits  Different types of security assessments  Department self assessments

30 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Security Attack Trends and Prevention Strategies

31 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Title n Malware infection leapt from 50 percent of respondents to 64.3 percent of respondents n Financial Frauds increases from 12% to 20% n Password Sniffing increases from 9% to 17% n Laptop or mobile hardware theft or loss remains the same

32 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countermeasures n Apply patches and updates n Implement strong security policies, procedures, and standards n Turn off and remove services that are not needed for normal company network operations n Perform filtering on all network traffic to ensure that malicious activity and unauthorized communications are not taking place n Provide additional security awareness training to end users n Install additional security software (e.g. Data Leakage products)

33 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countermeasures n Change or replace software or systems n Apply sound configurations to system and applications n Apply frequent updates to antivirus systems n Apply sound encryption mechanisms n Apply general logical and physical security measures

34 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Source of Information for Developing a Security Strategy n Information security and privacy laws (GLBA, FACT Act) n Industry standards (ISO 27001:2005) n Sector specific information security standards (PCI) n Previous attacks on your organization / other organizations n General news reports of other attacks / incidents n Information shared in associations / reputable forums n Executive and management priorities n Contract with business partners

35 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Emerging Technologies and Social Media – Security Threats and Countermeasures

36 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Social Media and Networking n Social media technology involves the creation and dissemination of content through social networks using the Internet. n Social media and networking is rapidly growing and becoming more popular than e-mail communication. n Examples: Facebook, Myspace, Twitter and LinkedIn

37 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Security Issues Relevant to Social Media: n Social Engineering: Exploits people n Spam and Malware Attacks: Exploits systems n Disgruntled Employee: Reputational damage of the organization n Legal Issues: Regulatory sanctions and fines assessed on the organization

38 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countermeasures n Policies and Procedures – Corporate privacy protection – Nondisclosure / posting of business-related content – Acceptable use in the workplace – Acceptable use outside of the workplace – Action plan for privacy breaches and escalation

39 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countermeasures n Training and Awareness – Communicate policies to employees – Inform employees of risks involved with social media sites – Social engineering trends and techniques n Technical Safeguards – Up-to-date antivirus and antimalware controls – Content filtering programs to restrict/limit access n Audits and Assessments

40 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Emerging Technologies that can Help n Emerging security technologies – Biometrics – Self-encrypting hard drives – USB tokens for authentication – Mobile Device Security Authentication, antivirus, firewalls, anti-spam and encryption for mobile devices Authentication, antivirus, firewalls, anti-spam and encryption for mobile devices

41 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Technologies that Require New Security Measures n Cloud Computing – Share infrastructure – Becomes difficult to control and protect n Smart Phones – Becoming the standard phones – Another version of a regular computer n I-spoof and other Applications – Spoof your telephone number and trick individuals who rely on it

42 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countering New Challenges n Establish and enforce strong authentication policies for devices trying to access corporate networks n Require employees to use a corporate VPN and encryption when handling sensitive data n Devices and software applications are configured as per configuration standards

43 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countering New Challenges n Corporate security policies prevent workers from transferring sensitive data to mobile devices or unauthorized computers n For laptops/netbooks consider air cards, which require a service plan, instead of hot spots for wireless connections

44 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countering New Challenges n Establish ground rules for the use of devices like the iPad, and develop policies and procedures that take the security limitations of the device into consideration and adequately protect sensitive business data n Perform periodic risk and security assessments n Set resource controls

45 © 2010 Enterprise Risk Management Enterprise Risk ManagementSeptember 2010Miami, FL Countering New Challenges n Provide security awareness and training n Eliminate any unnecessary services

46 Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Enterprise Risk Management Phone: 305.447-6750 Fax: 305.447-6752 e-mail: info@emrisk.com URL: www.emrisk.com

Download ppt "Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google