Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ECONOMIC ASPECTS OF DATA PROTECTION South Eastern Europe Conference on Regional Security through Data Protection Belgrade Dece mber 1-2, 2003 Daniel.

Published byMilton Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "1 ECONOMIC ASPECTS OF DATA PROTECTION South Eastern Europe Conference on Regional Security through Data Protection Belgrade Dece mber 1-2, 2003 Daniel."— Presentation transcript:

1 1 ECONOMIC ASPECTS OF DATA PROTECTION South Eastern Europe Conference on Regional Security through Data Protection Belgrade Dece mber 1-2, 2003 Daniel C. Hurley, Jr. Director, Critical Infrastructure Protection U.S. Department of Commerce »

2 2 Within the U.S. Government, the Department of Commerce is appropriate agency for addressing economic security issues: Core mission incorporates CIP Historic ties with and understanding of industry Trust between Department and industry With DOC’s involvement, U. S. industry plays more effectively

3 3 Critical Infrastructure Assurance Challenges Vulnerabilities Increase with “Always On” Network Connections, Telecommuting, Lax Security Practices Viruses, DoS Attacks, Identity Theft and other Practices can Aid Terrorist Activity Lukewarm Corporate and Public Interest in InfoSec Awareness and Education, although that has changed somewhat post-September 11 th FBI/CSI survey (2003) found about “90 percent of respondents detected computer security breaches in the past year, but only 34 percent reported those attacks to authorities.”

4 4 Costs of Computer Crime Costs: –2003: $201 million –2002: $455 million Types: –Proprietary info ($70 million) –denial of service ($65 million) –financial fraud ($10.2 million; down from $116 million in 2002) Forms of attack: –virus incidents (82%) –insider abuse (80%) Source: CSI/FBI 2003 Computer Crime and Security Survey

5 5 Examples of Recent Attacks Klez virus: -- Clean up and lost productivity: $9 billion Code Red: – 1 million computers affected – Clean-up and lost productivity: $2.6 billion Love Bug: –50 variants, 40 million computers affected –Clean-up and lost productivity: $8.8 billion NIMDA: –Clean-up and lost productivity: $1.2 billion Slammer: –Clean up and lost productivity: $1 billion +

6 6 “Business Case” for Cybersecurity There is a 21% Return on Investment for cyber security systems implemented early in network development Source: CSO Magazine, 2002 “The costs of a severe computer attack are likely to be greater than the preemptive investment in a cyber security program would have been.” Source: National Strategy to Secure Cyber Space, February 2003

7 7 Premise Infrastructure security can have a direct effect on shareholder value.

8 8 Shareholder Value Metrics Gordon Growth Model Investment Analyst View Market Capitalization = Free Cash Flow Cost of - Growth of Free Equity Cash Flow

9 9 Shareholder Value Metrics Gordon Growth Model CEO View Market Cap = Increase Revenues, Reduce Expenses Manage Risks, Grow Free Cash Flow Operational Credit Reputational

10 10 Risk Management is Key Five-year cost of equity = Stock Volatility Corporate Credit Spread Government Bond Rate = 8% = 1% = 6% 15 %

11 11 Shareholder Value Metrics: An Example $2.0 billion market cap = $100 million 15% - 10%

12 12 Shareholder Value Metrics: An Example $1.67 billion market cap = $100 million 16% - 10% A 1% increase in cost of equity decreases market capitalization by $333.3 million.

13 13 Simple Tenets of Business Survival: Keep the company in business: meet the needs of paying customers Fiduciary Responsibility: Protect the interest of shareholders and other investors –Retain and increase value; grow revenue and earnings (ROI, ROE, Market Share,... ) Do the above in compliance with applicable law and regulation

14 14 Ten Questions About Information Security 1.Accountability - What management system have we established to assure effective assignment of accountability for the security of our information and supporting technology resources? 2.Awareness - What has management done to ensure that all parties know, understand, and accept the importance of adhering to sound information security? 3.Ethics - What has management done to ensure that we are using our information assets and administering information security in an ethical manner?

15 15 Ten Questions About Information Security (continued) 4.Multidisciplinary Considerations - What has management done to ensure the perspectives and considerations of all interested and affected parties are considered and balanced in developing our information security policy? 5.Proportionality - What cost/benefit, risk, and due care analyses have been applied to the selection of our information security controls? 6.Integration - How has management coordinated and integrated information security with overall policies and procedures to create and maintain effective security throughout our information systems?

16 16 Ten Questions About Information Security (continued) 7.Timeliness - What capabilities do we have to ensure that failures involving information technology or its management will not endanger the organization, its supported business units, its neighbors, or their information assets, and will not impair their ability to operate? 8.Assessment - What capabilities do we have to ensure that risks associated with information and supporting technology resources are effectively assessed on an appropriate periodic basis, or as otherwise required, and managed accordingly?

17 17 Ten Questions About Information Security (continued) 9.Equity - How does management ensure that information security measures are fair and legal? 10.Information Sharing - How effectively does management share appropriate information with peer organizations and appropriate governmental entities?

18 18 Security Incentives - Internal Tone at the Top: –Mission, Values, Strategies, and Objectives –Results, Reputation, and Learning Assurance Objectives: –Availability, Capability, Functionality, Protectability, and Accountability Management Practices: –Operations, Reporting, Compliance, and Safeguarding of Assets –People, Technology, Processes, Investment, and Communications

19 19 Systems Assurance and Control Model

20 20 Board and Executive Responsibilities for Information Security Tone at the Top –Ethics, Quality, Trust, Security, Reliability Board of Directors –Duty of care to ensure it receives sufficient reliable evidence to govern the organization –Ask insightful questions and assess the appropriateness of the answers –Duty and challenge to keep abreast of the myriad subjects influencing business governance

21 21 The Audit Committee of the Board Reliability of information and its presentation in financial and other reports Ensuring regulatory compliance External and internal auditing –Selecting and retaining the auditors –Direct reporting relationship with the chairman of the audit committee –Independence and objectivity

22 22 Audit Examples  Review processes for systems design, development, maintenance, and enhancements  Review network operations and security  Review change controls for systems, networks, and information  Select and Analyze data for verification of controls or assessments of anomalies  Review access controls for security and accountability

23 23 Audit Examples  Review business processes and supporting systems and data  Review effectiveness of specific activities such as intrusion control  Assess business continuity including participation in recovery testing  Assess sensitive activities such as incident response  Consult in any area of security or controls to facilitate improvement, efficiency

24 24 The Role of Private Insurance Government regulations generally promote behavior through negative reinforcement (e.g. fines, jail, etc.) Versus Private Insurance generally promotes behavior through positive reinforcement (e.g. availability of insurance, lower premiums)

25 25 What are the Underwriter’s Obligations? Prevent or mitigate the Loss Risk Transfer the Loss Assist in post incident support and reputation re-building

26 26 What are the risks to manage? Legal Liability to Others: Security breaches, Web Content, Prof. E&O Loss or damage to my data Loss of revenue due to a DOS attack Loss or damage to Reputation Loss of Market capitalization and resulting Shareholder lawsuits

27 27 Value of Insurance Computer attacks hit with huge frequency and are causing substantial damage. The private insurance sector plays a unique role in motivating behavior by adjusting the price and availability of insurance. In addition to providing coverage, insurance firms should help to prevent the loss by aligning themselves with quality security technology companies, within a specialized unit.

28 28 Future Concerns - Examples Systemic issues not being addressed systemically –E.G., software patch management as a symptom People – the biggest concern –IT workforce shortfalls (including INFOSEC) –Lack of feedback of “good practices” in education process –Management awareness/education –Accountability –Citizen awareness/education/training (“K-life”) – cultural issue Disruptive technologies –Wireless –Miniaturization: e.g., Nanotechnology and MEMS –Moore’s Law: increasing power to individual at lower cost –Network enabled applications: e.g., Peer-to-peer sharing

29 29 CIP Lessons Learned GLOBAL ECONOMIC BENEFITS OF CIP Economic Security is a motivating factor Complements law enforcement and national security objectives CONTINUOUS EDUCATION & AWARENESS NECESSARY Solutions involve people, not just technology and process INDUSTRY INTERACTION ESSENTIAL Facilitates issue identification Broadens analytic support Facilitates buy-in by industry Accelerates economic benefits to be derived

30 30 The Final Word... Effective information security management and monitoring practices can either be adopted and enforced by management, or they will eventually be mandated by regulation, legislation, lawsuits, and/or insurer requirements. Those who benefit most from effective security practices will be those early adopters who recognize them as good business practice and build them into the systems and processes as integral business components.

31 31 Information for This Presentation Was Provided By: Charles LeGrand Director of Technology Practices The Institute of Internal Auditors James McNulty President & CEO, Chicago Mercantile Exchange, Inc. Ty Sagalow Chief Operating Officer AIG Global eBusiness Solutions The Information Technology Association of America (ITAA)

32 32 THANK YOU Daniel C. Hurley, Jr. Director, Critical Infrastructure Protection U.S. Department of Commerce www.ntia.doc.gov dhurley@ntia.doc.gov »

Download ppt "1 ECONOMIC ASPECTS OF DATA PROTECTION South Eastern Europe Conference on Regional Security through Data Protection Belgrade Dece mber 1-2, 2003 Daniel."

Similar presentations

Getting to Know Internal Auditing

Getting to Know Internal Auditing
ASX Corporate Governance Council

ASX Corporate Governance Council
Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.

Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
1 Risk Management at Progressive Insurance How we got started Getting corporate support Capital Management Examples of deliverables The value risk management.

1 Risk Management at Progressive Insurance How we got started Getting corporate support Capital Management Examples of deliverables The value risk management.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.

8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Introducing Transparency in Corporate Groups : Korean Context Introducing Transparency in Corporate Groups : Korean Context Introducing Transparency in.

Introducing Transparency in Corporate Groups : Korean Context Introducing Transparency in Corporate Groups : Korean Context Introducing Transparency in.
Security Controls – What Works

Security Controls – What Works
Audit Planning and Analytical Procedures Chapter 8.

Audit Planning and Analytical Procedures Chapter 8.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 8 - 1 Audit Planning and Analytical Procedures Chapter.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Audit Planning and Analytical Procedures Chapter.
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum
Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.

Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

Similar presentations

Ads by Google