Upload
socitm-
View
855
Download
1
Tags:
Embed Size (px)
Citation preview
SOCITM Conference Oct 2009 1
T O G E T H E RT A L E N T E D T O G E T H E RT A L E N T E D
Navigating a safe course to better information assuranceEnabling Your Business
SOCITM Conference Oct 20092
Agenda
11
22
33 Government perspectiveGovernment perspective
44
55
Assistance availableAssistance available
Point of viewPoint of view
IntroductionIntroduction
ContextContext
SOCITM Conference Oct 200933
*Symantec ISTR vol. XIII, Apr 2008
Government, healthcare and education sectors accounted for 60% of data breaches and 60% of identities exposed*
Wrecks – A brief history of non-protection
SOCITM Conference Oct 20094
Data Protection
Reported DPA breaches578 since Nov 07
Private sector 172NHS 162Local Government 69Central Government 56
““No organisation handling information can No organisation handling information can guarantee it will never experience losses. But guarantee it will never experience losses. But people have a right to expect that their public people have a right to expect that their public
services achieve and maintain high standards in services achieve and maintain high standards in this important area. Those involved in delivering this important area. Those involved in delivering those public services must work harder and be those public services must work harder and be
more effective to meet and exceed those more effective to meet and exceed those expectations.expectations.””
(Sir Gus O(Sir Gus O’’Donnell)Donnell)
SOCITM Conference Oct 20095
So what?
SOCITM Conference Oct 20096
Personal data is now pervasive
Network End Point Application DB/FS Storage
WebServers
Core App
ExchangeServer
Database
Custom App ReplicatedDatabase
File Server
Internet BackupDisk
BackupTape
Backup
Backup
Disk Storage
Disk Storage
Disk Storage
Disk Storage
Enterprise App Database Disk Storage
Portals
WAN
Other sites & Partners
SOCITM Conference Oct 20097
Major threat areas
Network End Point Application DB/FS Storage
WANWeb
Servers
Enterprise App
Core App
Custom App
ExchangeServer
Database
ReplicatedDatabase
File Server
BackupDisk
BackupTape
Internet
Database
Backup
Backup
Disk Storage
Disk Storage
Disk Storage
Disk Storage
Disk Storage
Internal Portals
Other sites & Partners
Media lost or stolen
1
Disks stolen or discarded media
exploited
2
Packets sniffed in transit
3
Privileged User Breach DBA/FSA
4
(Semi) Trusted User Misuse
6
Unintentional Distribution
7
Database/File Server Hack
5
ApplicationHack
9
(Semi)Trusted User
Misuse
10
Privileged UserBreach
8
UnintentionalDistribution
11
Physical theft of media or lost
media exploited
12
Trojans / Key Loggers
13
Unintentional Distribution
14
Public Infrastructure Access Hack
15
Packets sniffed in transit
3
Media lost or stolen
1
Disks stolen or discarded media
exploited
2
Packets sniffed in transit
3
Privileged User Breach DBA/FSA
4
(Semi) Trusted User Misuse
6
Unintentional Distribution
7
Database/File Server Hack
5
ApplicationHack
9
(Semi)Trusted User
Misuse
10
Privileged UserBreach
8
UnintentionalDistribution
11
Physical theft of media or lost
media exploited
12
Trojans / Key Loggers
13
Unintentional Distribution
14
Public Infrastructure Access Hack
15
Packets sniffed in transit
3
Risk
X High RiskMedium RiskLow Risk
SOCITM Conference Oct 20098
World Economic Forum 2009
SOCITM Conference Oct 20099
PCI DSS
Access Control & Management
Encryption
Key Management
File IntegrityMonitoring
Log ReviewLogging
InformationSecurityPolicies
NetworkSecurity
VulnerabilityManagement
Requirements for Compliance
PCI Remediation
Strategy
PCI Remediation
Strategy
Key Focus Areas for PCI Compliance
Build & Maintain a Secure Network
Maintain a Vulnerability Management
Program
Protect Cardholder Data
Implement Strong Access Control
Measures
Regularly Monitor & Test Networks
Maintain an Information
Security Policy
SOCITM Conference Oct 200910
Real risk of compliance fatigue
ICOFinance Legal Risk Internal
AuditExternal
AuditCorporate Services
Policy Privacy BCP InfoSec Op’Risk
ICT
Citizens Council Central Gov’t
LGA
Business fatigueLack of co-ordinationDuplicate effortRisks falling between the cracksCompetition for attention
+
+
=
Increasing stakeholder demands
Expanding risk & control oversight
functions
Changing law, policy & directives
SOCITM Conference Oct 200911
IA challenges facing Public Sector
Government Agenda Shared services v’s privacy v’s efficiencyCitizen centric – more online services
Global development
Citizen expectations
Growing threats to UK Plc
Expanding compliance requirements
New CIA – Convenience / Interoperability / Affordability
SOCITM Conference Oct 200912
Reviews Conducted
HMRC – Poynter Review (Kieran Poynter PWC) June 2008
MOD – Burton Review (Sir Edmund Burton) June 2008
Data Handling Review (Sir Gus O’Donnell) June 2008
Data Sharing Review (Richard Thomas & Dr Mark Walport) July 2008
Data Handling ReportData Handling Report
Security Policy F/WorkSecurity Policy F/Work
Government ReviewsGovernment Reviews
New Guidance New Guidance
IA Maturity ModelIA Maturity Model
Looking ForwardLooking Forward
SOCITM Conference Oct 200913
Cost reduction pressures
Competing business prioritiesnow v’s secure
Failing to effectively risk manage 3rd partiesoutsourcing … development … hosting … testing
New initiativescloud computing … offshore …
Mobilityremote working … mobile computing (32GB of data on a mobile phone..)
Compliance fatigue
Reefs and rocks – where things go wrong
SOCITM Conference Oct 200914
Data Handling Report
Key DHR Recommendations
Core measures to protect personal data and other information across Government;
A culture that properly values, protects and uses information;
Stronger accountability mechanisms; and
Stronger scrutiny of performance.
Data Handling ReportData Handling Report
Security Policy F/WorkSecurity Policy F/Work
Government ReviewsGovernment Reviews
New Guidance New Guidance
IA Maturity ModelIA Maturity Model
Looking ForwardLooking Forward
SOCITM Conference Oct 200915
Charts to help you
Data Handling ReportData Handling Report
Security Policy F/WorkSecurity Policy F/Work
Government ReviewsGovernment Reviews
New Guidance New Guidance
IA Maturity ModelIA Maturity Model
Looking ForwardLooking Forward
Replaced Manual of Protective Security (MPS)
Collective responsibility to protect assetsMust be able to share informationMust have confidence in peopleBusiness resilience
Mandated Protective Security PolicyFor HMG Departments and their AgenciesIncludes IA Policy70 Mandatory requirements
4 TiersTiers 1-3 Not Protectively Marked
Available to public & WIAC via CSIATier 4 – Restricted
Available through accredited route
New ICO PowersMonetary PenaltiesAssessment Notices (without permission)New EU e-privacy legislation will drive ‘Breach Notification’ requirement (2-3 years)
SOCITM Conference Oct 200916
The High Level View
National Information Assurance Strategy (NIAS)National Information Assurance Strategy (NIAS)
Security Policy Framework (SPF)Security Policy Framework (SPF)70 Minimum Mandatory Measures70 Minimum Mandatory Measures
Information Assurance Maturity ModelInformation Assurance Maturity Model(IAMM)(IAMM)
HMG IA Standard No. 6HMG IA Standard No. 6Data Handling Review Data Handling Review
GuidelinesGuidelines
Cyber Security Strategy of the UK Cyber Security Strategy of the UK
Dat
a Pr
otec
tion
Act
Dat
a Pr
otec
tion
Act
Free
dom
of
Free
dom
of
Info
rmat
ion
Act
Info
rmat
ion
Act
AccreditationAccreditation
CoCoCoCo’’ss
Other Legal / Compliance Requirements Other Legal / Compliance Requirements (PCI, RIPA, etc)(PCI, RIPA, etc)
SOCITM Conference Oct 200917
Some new lighthousesLocal Authority Data Handling Guidelines
Data Handling (NHS)
Enhanced GovernanceGovt level – IADG / IAOBLocally – SIRO / Data ownershipImproved professionalism - IISP
IA Good Practice GuidesCurrently 15
OutsourcingData AggregationLaptopsRemote workingSecure bulk data transfers
IA StandardsExisting standards reviewedNew risk assessment methodologyNew Standards (IAS 6)
Data Handling ReportData Handling Report
Security Policy F/WorkSecurity Policy F/Work
Government ReviewsGovernment Reviews
New Guidance New Guidance
IA Maturity ModelIA Maturity Model
Looking ForwardLooking Forward
SOCITM Conference Oct 200918
Protecting personal data
HMG IA Standard No.6 - Protecting Personal Data and Managing Information Risk
Outlines minimum measures MUST be implemented by Departments & Agencies bound by the SPF.
Key PrinciplesDepartments and delivery partners must protect personal dataSensitive personal information must be handled in accordance with specific measuresThose with access to sensitive personal data must have appropriate training.
SOCITM Conference Oct 200919
Government model for IA
INTRINSIC INTRINSIC Design in IA
EXTRINSIC EXTRINSIC Evaluate Solutions
Determine Residual Risk
IMPLEMENTATION IMPLEMENTATION Build in IA
OPERATIONALOPERATIONALOngoing IA Management
““The pressure is to deliver quicker, but the advantage will be onThe pressure is to deliver quicker, but the advantage will be on those who can build in assurancethose who can build in assurance””(Sir E. Burton)(Sir E. Burton)
SOCITM Conference Oct 200920
IA Maturity Model (IAMM)
Data Handling ReportData Handling Report
Security Policy F/WorkSecurity Policy F/Work
Government ReviewsGovernment Reviews
New Guidance New Guidance
IA Maturity ModelIA Maturity Model
Looking ForwardLooking Forward
IAMM and IA Assessment Framework Published in Sept 2008 to assist Senior Information Risk Owners (SIROs) develop IA maturity within their Departments
Will assist boards to report improvements in their IA and IRM in their annual reports to Cabinet Office.
Incorporates SPF and DHR requirements and is aligned to ISO 27001.
Departments will need to provide evidence of IA maturity in their Agencies, NDPBs and delivery partners
5 levels – Initial (1) to Optimised (5)
Self-assessment and supported self-assessment
SOCITM Conference Oct 200921
On the horizonNIAS Delivery
Continued focus on DH (>ICO powers)
Increased focus onTrainingAuditBenchmarking
WIAC adoption DH guidelinesSPFGovernance measures
Delivery Partner scrutiny
Partner with Industry Initiative (PWI)
Government Cyber security strategy
PCI incorporated into policy
Data Handling ReportData Handling Report
Security Policy F/WorkSecurity Policy F/Work
Government ReviewsGovernment Reviews
New Guidance New Guidance
IA Maturity ModelIA Maturity Model
Looking ForwardLooking Forward
SOCITM Conference Oct 200922
Safety equipment
Education, education, education!
Through-life assurance approach build security in & prove it
Risk management advice CESG CLAS scheme
Ensure 3rd parties know what they need to do & do it! flowdown of any CoCo requirements
Technology solutions encryption, DLP, etc
Proven ability to react in the event of an incidentforensics readiness
Ongoing technical assurance CESG CHECK scheme
SOCITM Conference Oct 200923
Prove that your security is effective
Penetration Test (s) (Annual /bi-annual/quarterly) (including CHECK)
External Network Mapping
Vulnerability Scanning Service of external network
Monthly reports
Workshops with Security Consultants
SOCITM Conference Oct 20092424
Point of view
The recent global events around data loss has been cause for significant reflection as to the effectiveness of information risk management & compliance globally – expect more ‘regulation’
The pace of change in UK Government in particular has been unprecedented – the assurance elements have yet to mature
Quality and clarity of guidance available in the UK is unlike any other country globally
It is possible to implement an information centric security assurance strategy which reduces compliance cost and minimises duplication of effort
Effective information assurance supported by sound governance is key to not repeating the mistakes of the past
SOCITM Conference Oct 200925
A final word from the Information Commissioner
… The blunt truth is that all organisations need to take the protection of customer data with the utmost seriousness. I have made it clear publicly on several
occasions over the past year that organisations holding individuals’ data must in particular take steps to ensure that it is adequately protected from loss or
theft. … Getting data protection wrong can bring commercial reputational, regulatory and legal
penalties. Getting it right brings rewards in terms of customer trust and confidence. …
Richard Thomas
April 2008
SOCITM Conference Oct 200926
Questions …?