Upload
kapono
View
68
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Financial Advisory & Litigation Consulting Services. Financial Advisory & Litigation Consulting Services. Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information Risk/Security Track Presented by: George G. McBride, CISSP, CISM Aon Consulting. - PowerPoint PPT Presentation
Citation preview
Financial Advisory & Litigation Consulting Services
Financial Advisory & Litigation Consulting ServicesFinancial Advisory & Litigation Consulting Services
Risk Management 2006September 14-15, 2006The Metropolitan Club, New York, NY
Workshop B: Information Risk/Security TrackPresented by: George G. McBride, CISSP, CISMAon Consulting
2
Complexity: The root of evil!Complexity: The root of evil!
Complexity:• Huge manuals• Certifications
required to utilize/purchase
• Undocumented features
• Staffing issues• Updates and Patches
and Hot-Fixes and Service Packs and upgrades!
• Changing technology• Complex DMZs• And many more!
3
Information Technology Security ChallengesInformation Technology Security Challenges
• Enterprises are globally connected and information-driven• Extended enterprises include business partners, outsourcing
providers, telecommuters, clients, etc• Network & technology dependency has created critical risk
exposures that are becoming more difficult to manage• External/internal threats to information assets are rapidly
growing and changing• Regulatory requirements are increasing in scope and
complexity • Technologies are continuously emerging and converging• Customers demand high-level of security/privacy for their
data.
Over 5 exabytes of total new information were produced and stored in 2005. Five exabytes is about equal to 500,000 Libraries of Congress. (Report by UC,Berkeley)
Interesting Fact
5
Information Security and Risk Services Information Security and Risk Services
• We provide a comprehensive approach to information security risk management issues— A Return on Security Investment to enable intelligent risk
management decisions
— A holistic approach in managing information security risk
— Partnering with clients throughout the information security risk management life cycle
— Working with technology vendors and insurance partners to negotiate the best possible rates for risk mitigation or risk financing
— Formal methodology to assess risk• Repeatable, documented, and evolving
The Aon Difference
6
What is the solution?What is the solution?
• Information security risk management should:— Align with business objectives— Integrate people, process — and technology— Focus on the business impact of
information loss — Be based on leading practices and
standards— Architected to enable multiple risk
mitigation
Threats• Opportunity• Motivation• Capability
Threats• Opportunity• Motivation• Capability
Vulnerabilities• Technology• Processes• People
Vulnerabilities• Technology• Processes• People
Potential Consequences- IT Disruption - Financial Loss- Litigation - Damaged Brand- Regulatory fine - Revenue loss
7
Risk-based Security StrategyRisk-based Security Strategy
1. Identify the threats to specific business areas2. Assess the level of vulnerability3. Gauge the potential impact4. Develop security option path
Transfer
Control
Manage
Security Options
Risk Framework (Example)
8
Benefits of a Risk-based Integrated ApproachBenefits of a Risk-based Integrated Approach
• When utilizing a risk based, integrated approach the organization can:— Transfer risks to third parties or purchase insurance
— Control risk through the implementation of security controls
— Monitor risks that the organization chooses to accept
— Make the right security investments to address the most critical assets within the organization
— Ensure effectiveness of the most critical element of security---people
— Address regulatory compliance efficiently and cost-effectively
9
Integrated with the OrganizationIntegrated with the Organization
• Information security is not just a “technology” issue
• Human elements and processes are also essential: — People: The #1 cause of security breaches. People issues
include: policies & procedures, technology management, security awareness, incident response, security organization
— Process: How work is conducted has a huge impact on how security should be designed and deployed--it balances productivity with security
— Technology: Focus has traditionally been on external threats and perimeter security technology e.g. firewalls, intrusion monitoring, network security, etc. Technology can also help with internal issues as well e.g. Role Based Access Control
Definition: Role Based Access Control (RBAC)
A method of regulating access to computer or network resources based on the roles of individual users within an enterprise. By definition RBAC incorporates elements of People, Processes and Technologies
10
Information Security and Risk Services Information Security and Risk Services
Deliverables
Tools
Approach
Activities
Phase
• Executive summary and detailed report, including:
• Significant findings• Benchmark/scoring • Continuous risk
improvement process
• Commercial and proprietary tools
Assess
• Identify and analyze information security risk profile
• Facilitated sessions• Documentation review• Data collection• Testing and validation• Valuation exercises
• Analyze risk/security gaps
• Document improvement recommendations
• Conduct strategic security planning
• Vendor evaluation and selection
• Information Security Roadmap
• Solution architecture• Prioritized objectives• Implementation plan• Timeline• Success criteria• Team structure• Industry best practices
and standards framework
Plan
• Security solutions based on:
• Regulatory compliance• Industry standards and
best practices• Objectives that are
important to the organization
• Security technology center
• Project management and reporting tools
• Solution design and architecture
• Program/project management
• Solution deployment
Implement
11
Information Security and Risk ServicesInformation Security and Risk Services
Consulting
Assessment
• Information Security Risk Assessment & Analysis
• Regulatory Compliance Reviews• Security Controls Gap Analysis• Network & System Vulnerability Assessment• Application Security Assessment• PBX Assessment• Penetration Testing• Wireless Security• Identity and Access Readiness Assessment• Technology and Vendor Selection Assessment• Social Engineering• Physical and Life Safety• Security Policy Review
Security Management
• Incident Response/Forensics Investigation
• Asset Classification• Network Security Architecture• Security Awareness Program• Information Security Program
Management• Disaster Recovery/Business Continuity
Planning• Secure Software Development • Staff Augmentation• General Security Consulting• Litigation Readiness Programs
12
Information Security and Risk ServicesInformation Security and Risk Services
•Firewall Implementation•Wireless Networking• Identity and Access
Management
Access Control
Implementation
•Remote Access•Directory Services•Two Factor Authentication•Single Sign-On
Authentication
•Encryption•Storage and Archiving•Backup and Recovery
Data Management
•Patch Management
•Asset Tracking/ Management
•Endpoint Security
•Content Security
•Security Policy Framework & Development
Security Management
Threat Management
•Security Event Management•Anti-Virus•Anti-Spam• Intrusion Detection and
Prevention•Host Integrity
13
Industry Best PracticesIndustry Best Practices
• Even the professional services firms look to a 3rd party to assess, manage, design, and implement their infrastructure
• Look for true vendor neutrality in your assessors
• Use a proven methodology to assess your infrastructure
• Understand your baseline: what are you comparing your IT infrastructure to?
• Develop quality metrics
• Know your risk tolerance
Contact MeContact Me
George G. McBride
Financial Advisory & Litigation Consulting Services
Director, IT Security Consulting Risk Consulting Services Practice Office: 732.389.8944 Mobile: 732.429.0676 Email: [email protected]