Defending the Digital FrontierAn Overview

Mark W. DollAmericas Director, Digital Security ServicesErnst & Young LLP

Rudy Giuliani’s call to actionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream, business-critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.

Additional legislative requirements

California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.

California Senate Bill 1386, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.... The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.

The Security Frontier

ProductivityImprovement/Increased RiskReliance on IT

Impact of Failure

High

LowLow High

IT UsageProbability of Failure

1970s 1980s 1990s 2000s

The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.

The Digital Security Gap

Caught up in the pursuit of productivity improvements, management apparently overlooked security.

TotalSpending

High

Low

1990’s 2000’sTime

Total Security Spending

Total IT Spending

DigitalSecurity

Gap

6 Key Security Characteristics

1) Aligned digital securityBusiness

Objectives

Aligned

The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives.

The attainment and maintenance of appropriate alignment among digital security, the IT organization, digital asset and business objectives.

The distance between the top levels of management and the security team is known as the Security Management Gap.

The distance between the top levels of management and the security team is known as the Security Management Gap.

79% of respondents in the 2002 Ernst & Young Digital Security Overview survey

indicated that the documentation, implementation and follow-through cycle for their information security policies was not

being carried out completely.

Information Technology Organization

DigitalAssets

DigitalSecurity

2) Enterprise-wide digital security

Corporate

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.

86% of companies surveyed have intrusion detection systems in place.

However, of those companies, only 35% actively monitor 95% to 100% of their

critical servers for intrusions.

3) Continuous digital security

Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities.

Real-time monitoring and updating of all security policies, procedures and processes to ensure a timely response to issues and opportunities.

Not occasionally. Not periodically.

Continuously.Continuously.

46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.

4) Proactive digital security

Initial AssessmentOngoing Monitoring

Periodic Assessment

High

RiskIntelligence

LowTime

Proactive

Traditional

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally.

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity and availability of these digitally.

Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities

5) Validated digital security

Peer

3rd Party

Self

To a Unit To a Business Objective

To a Standard

Rigor of Validation

Deployed

Validated

Tested

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria or other recognized models.

6) Formal digital security

Doc

umen

ted

Minimally HighlyConfirmed

Min

imal

lyH

ighl

y

Documented

Formal

Experienced-

basedSitu

ational

Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.

Policies, standards and guidelines that provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.

13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.

Executive management must understand

Scenario-based simulations: Table-top exercises

The organization’s response

Critical roles and responsibilities

Action plans to minimize the effect of an incident

Monitor and test responses

Model and define riskEstablish consistent threat categories

Digital Impact/Risk

Risk toCustomer Segment

Risk to MultipleCustomers

Chronic or Seriesof Inefficiencies

Core Process orSystem Shutdown

TacticalInefficiencies

Dept. of HomelandSecurity Risk

Severe

High

Elevated

Guarded

Low1

2

3

4

5

Green

Blue

Yellow

Orange

Red

Homeland

LevelCategory

Level

The fulcrum of control

Impact of Occurrence

High

LowLow High

Frequency of Occurrence

5

4

3

1

ImmediateAction

ROIDecision

Fulcrum of C

ontrol

The ability to control & contain digital security incidents is the key to success

Management must determine this tipping point or fulcrum and use it to drive their focus

2

Manage risk for a competitive advantage

Impact of Occurrence

High

Low

Low HighFrequency of Occurrence

1

2

3

4

5

Company A

Industry

Maintaining digital availability when your competitors in your industry fail is critical for most companies’ long-term success

Highly effective security cultures:are chief executive-driven

maintain a heightened sense of awareness

utilize a digital security guidance council

establish timetables for success and monitor progress

drive an enterprise-wide approach

The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.

The level of commitment of an organization’s personnel to the principles of security will determine the success or failure of the digital security program.

For more information…

Mark DollAmericas Director,

Digital Security ServicesErnst & Young LLP

212-773-1265Or

Web site: ey.com/securitySecurity Info-line: 888-706-2600

Mark DollAmericas Director,

Digital Security ServicesErnst & Young LLP

212-773-1265Or

Web site: ey.com/securitySecurity Info-line: 888-706-2600