Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 (ISC) 2 Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 2008.10 Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea.

Similar presentations


Presentation on theme: "1 (ISC) 2 Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 2008.10 Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea."— Presentation transcript:

1 1 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 2008.10 Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea Change in enterprise information security strategies for responding to emerging threats (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008

2 2 Presented by Shin, Soojung Contents 1. Change in the recent threats 2. Expanded Attack 3. Change in the environment 4. Change in the strategies 5. Strategies 6. Conclusions

3 3 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 1. Change in the recent threats Ability show-off Clear monetary Goal IT Infra Attack Application User, Social engineering Attacking systems of the target company directly Using a roundabout path Cyber System Customer information Past Present

4 4 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 2. Expanded Attack internet attacker Employee/partner Information… (1) System/Application attack (2) Wireless attack (3)Attack using Trusted entity Partnership Network (4) Attack Users (5) DDOS attack (6) On/Off-line Information leakage (document, USB, PC, backup…)

5 5 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 5 Past Present Passive, Sporadic response Positive, collective response Autonomously regulating environment Strengthen the government-based legal regulations 3. Change in the environment Government Customer Particular department, CIO/CSO’s agenda The whole company, CEO’s agenda Enterprise

6 6 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung PastPresent Infra-centricInformation-centric Technology-centricPeople-centric Baseline-centricRisk-centric Ad-hoc approach Process and Governance Security Security & Privacy Target Company and People Virtual Company & People 4. Change in the strategies Company-own Policy Compliance & Due Diligence

7 7 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung Threat Information Network System Application Vulnerability Asset Risk Area of interest information Dynamic 5. Strategies-(1) Information-centric

8 8 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 5. Strategies-(2) People-centric Risk Area of interest information Dynamic - Who are the core of security risk? - What are their permissions? How can the risk be reduced ? -Can the number be reduced? -Can their permission be limited? -Will the training be strengthened? - Will the technical control be strengthened? - How can spontaneity be induced? - How can audit and assessment be conducted Threat Network System Application Vulnerability

9 9 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung - Analysis & Control of the personal-information treatment process(On & Off- line) -Analysis & Control of people in accordance with the process -Analysis & Control of systems managing and protecting the personal information -Designing personal information protection management framework & architecture Transfer Use generate,collect Destroy Store Notice Collection /Use limitation Openness & Transparency Individual Participation Security Accountability Data Quality 5. Strategies-(3) Security & Privacy Management SystemProcess Identifying Purpose

10 10 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung Enterprise Asset & People (Old area) Partner company Asset and people Customer New Area -Policy, support, audit, training, certification system for the partner companies -Policy, support, training system for customers 5. Strategies-(4) Virtual Organization

11 11 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung Service Planning Service/Syste m Operation Enterprise Marketing Service/System Development - Equipping with a framework and methodology for managing information risks - Necessity of utilizing a threat-centered risk assessment methodology - Assessing only of the company’s critical assets - Making it simple - Making it a process 5. Strategies-(5) Risk-Centered

12 12 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 5. Strategies-(6) Governance & Process BOD Level Understanding the top risks Reviewing the information security programs and policies of the enterprise Information security Org. Level Executives Level Ensuring compliance, establishing R&R, performance evaluation Security planning, operating, responding to the threats Risk Assessme nt Plan Operation & Check Impleme-ntation Secure Operation Dev. & Test Design Analysis Compliance Audit Monitoring Operation SecureSDLC Mutual Feedback

13 13 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 5. Strategies- (7) Compliance & Due Diligence - Awareness and training - Store and backup Information - Security monitoring - Forensics -Compliance check and audit -Certification -Incident handling -Necessity of making preparations for lawsuit countermeasures -Incident handling -Necessity of making preparations for lawsuit countermeasures -Understanding related regulation, Law -Planning Do Plan Check

14 14 (ISC) 2 SecureAsia@Seoul Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 6.Conclusion Give highest priority to Information & People in information security Construct processes & systems for ensuring compliance with laws and regulations, and for responding to potential lawsuit Do not make the territory of information security narrow Watch the change of the threat and environment carefully, and change strategies accordingly With 2008 being the starting point, information security has become the business issue in Korea


Download ppt "1 (ISC) 2 Conference- 29-30 Oct, 2008 Presented by Shin, Soojung 2008.10 Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea."

Similar presentations


Ads by Google