Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm

Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated

Carolyn Burke, MA, CISSP, CISM

CEO, Integrity Incorporated

Mitigate Risk

March 23, 2004, 2pm

2Copyright 2004 Integrity Incorporated

Things we should go over Background Information

Identifying Risks

Relationship between Privacy & Security

What Causes Security & Privacy Risks

Using a Risk Management Approach

Risk and Vulnerability Assessment

Protecting Privacy & Security

Security & Privacy Management Capabilities Maturity Model

Case Study!


But first, how mature do you think you are?

• From 1 to 5, rate yourself:• on policy, process & procedures • on privacy & security• on technology

12

34

5


Identifying Risks What is at Risk?

Assets of the organization include– Secrets

– $$

– Time, effort

– People


What else is at Risk?

– Public trust in the organization• PR risk

• May impede ability of the organization to operate effectively

– Operational capabilities of the organization• Can be disrupted by unauthorized system modifications

• Can be disrupted by Denial of Service and Distributed Denial of Service attacks


And still more

– Your clients• Privacy of clients’ personal information

• Legally protected (legislation)

• Contractually protected (policy, contract)

• What information must be protected?

– Accuracy of clients’ personal information• Legal requirements

• Operational necessity


Identifying Risks


integrity availability

confidentiality

C

I Asecurity

The Relationship between Privacy & Security


•Technical vulnerabilities•Fraud•Operational issues•The bad guys



Technical vulnerabilities• Technical faults

• Software bugs, incorrect documentation

• Misconfiguration – software, servers, firewalls / security systems, routers

– various other network elements

• Hardware failure– lack of redundancy

– poor maintenance schedule


More technical vulnerabilities

• Poor technical architecture• Lack of

– appropriate perimeter defenses

– intrusion detection systems

– adequate access controls

– adequate authentication systems

– adequate authorization controls


Fraud

• Intentional misrepresentation• By clients

• By staff

• By company executives

• External parties misrepresenting the company


– Insufficient checks & balances • peer review

• periodic internal review

• external audit

– Human error

– Faulty procedures

– Undocumented or missing procedures

– Lack of standardization

Operational issues

Do you have: a security awareness program a readable security policy an incident response plan


– Lack of a clear policy framework

– Poor real-time handling of security incidents

– Lack of privacy awareness among all staff

– Lack of security awareness among all staff

– Extreme shortage of security skills among IT staff

More operational issues

Do you have: a business continuity plan a disaster recovery plan a backup and recovery system


Bad guys

– Amateur hackers– Well-intentioned researchers– Malicious professionals– Financially motivated professionals (your loss,

their gain)



What high-level approach does your organization use today to address security & privacy issues?

• How effective is it?


The Risk Management Approach to Security &

Privacy Strategy

You can’t eliminate 100% of risks…


The Risk Management Approach to Security &

Privacy Strategy

… but you can develop a risk management framework

which...


– takes a strategic approach– provides a disciplined cost-benefit framework– establishes clear high-level policies to guide

tactical decision-making– provides detailed processes & procedures

A Risk Management Framework


– specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks

– sets technical standards– justifies security & privacy expenditures on

both an economic & a legislative basis

A Risk Management Framework


Driven by risk analysis– Types of risks X Probabilities of risk X Costs of losses

– Types of risk mitigation - impact on probabilities and losses

High-level security & privacy mandate - policies!Accountability in all risk-related activitiesSuccess factors

– Continuous Improvement

– Dynamic response to new threats

The Risk Management Approach: Key Components


Continuous Security Framework

Okay, this is for the CSO.


flow

of

controlflow of knowledge

verific

atio

n



Metrics & Continuous Improvement





The Risk Management Approach

to Security & Privacy StrategyMap out the high-level steps your

organization needs to take to use a risk-management approach to privacy and security.



Risk vs. VulnerabilityRisk is economic & legal

Vulnerability is technical & procedural


Quantifying risk

Economic Risk ($) =

Types of risks Probabilities of risk (%) Costs of losses ($)


Assessing vulnerability

– Technical• Attack & Penetration Testing

• Network Security Review

– Procedural• Privacy Impact Assessment

• Policy Audit

• Processes & Procedures Audit



Estimate the outcomes which would result if your organization were to undergo:– A thorough Attack & Penetration test?

– A thorough Network Security Review?

– A thorough Privacy Policies Audit?

– A thorough Operational Security (Processes & Procedures) Audit?



Technology solutions Procedural solutions


Technology solutions

– Firewalls privacy, integrity, authentication– Encryption privacy

• Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.



– Passwords authentication• Risks: reusable passwords, plaintext protocols

– Tokens authentication– Certificates authentication– Intrusion Detection Systems / IDS

integrity, privacy



– Digital signatures integrity, authentication, non-repudiation

– PKI privacy, authentication, integrity, non-repudiation

– PMI authorization, privacy, authentication, integrity


Procedural solutions

– “Need to know” (principle of least privilege) privacy

– Change controls privacy, authentication, integrity, non-repudiation


Procedural solutions

– Audit processes increased assurance re. all factors

– Technical standardization privacy, authentication, integrity, non-repudiation



• What are the primary methods (procedural / technological) used by your organization to:– Protect privacy

– Perform authentication

– Ensure non-repudiation for online transactions

– Maintain data and systems integrity


Security & Privacy Management Capabilities

Maturity Model (TM)


– Measuring success using a baseline• Proprietary, standardized

• Based on CERT’s Systems Security Engineering Capability Maturity Model

– Provides maturity metrics on high-level organizational security and privacy capabilities


Maturity Model (TM)


– Organization handles Security & Privacy issues informally

– Organization does not have documented Security & Privacy policies

SPM-CMM(TM) Level 1

1


– Organization has documented Security & Privacy policies

– Organization has assigned resources to plan Security & Privacy initiatives

– Effective training programs re. Security & Privacy

– Organization has effective processes to verify compliance with Security & Privacy policies

2

SPM-CMM(TM) Level 2


– Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards)

– Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements

3

SPM-CMM(TM) Level 3


4

– Organization has measurable, quantitative Security & Privacy goals

– Organization tracks objective performance relative to Security & Privacy goals

– Strong individual accountability

SPM-CMM(TM) Level 4


5

– Organization has an effective Continuous Improvement program for Security & Privacy

– Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback

SPM-CMM(TM) Level 5



Maturity Model (TM)

5

1


• Important considerations:

– What is the impact of moving to the next maturity level?

– What changes to technologies, processes, and policy would you need to make?


Maturity Model (TM)


Long-Distance Health Care / Privacy

•Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs

•Cost effective communication required - a private network using internet technologies

•Maintain privacy - information shared between organizations, across borders

•Security technology, policy reviews

•Privacy policies of all organizations amalgamated

•Most stringent policy had to apply to all to ensure that all policies were met


SPM-CMM(TM) Level 1 Level 2

Results

• Policy review for all organizations

• Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy

• Training to properly handle exchange of information - varying legislative jurisdictions

Services

• Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training


Where do you rank your organization on the SPM-

CMM(TM)?

For security? For privacy? Overall?


Thank you!!!!



www.integrityincorporated.com/subscribe.aspx


www.integrityincorporated.com/subscribe.aspx



Mitigate Risk

March 23, 2004, 2pm

Documents

Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm