Embed Size (px)
DESCRIPTION
Seminar by Alain Desausoi during Infosecurity.be 2011
Citation preview
Security Risk ManagementInfosecurity.beInfosecurity.be
Alain Desausoi
Head of Enterprise Security and Architecture, CISO
24 March 2011
Agenda
• Governance and security strategy
• Risk management – where are we now ?
• Risk management – how did we get there ?
• Who is SWIFT?
Security Risk Management – Infosecurity.be – 24 march 2011 2
Governance and security strategy
Security Risk Management – Infosecurity.be – 24 march 2011 3
Focus on security and reliability
Management governance to define framework
Security & ReliabilityCommittee
ITOPS Management
SWIFT Board
CEO
SWIFT Controls
Security
CouncilExecutive
Committee
Security Risk Management – Infosecurity.be – 24 march 2011 4
SWIFT’s Security
Control Policy
• Governance• Confidentiality• Integrity• Availability• Change Management
SWIFT’s Corporate
Security Policy
Management Oversight
Detailed Policies & Standards
Organisation
Processes
Tools
SWIFT Controls
To support commitments regarding:
• Confidentiality• Integrity• Availability
Security Objectives
Providing assurance over SWIFT’s security
Key involved parties
• Internal Audit– Audit universe, over a 3 years period– Reporting to Board committee (AFC)
• External Audit– Focus on critical services of SWIFT– Delivering a SAS70 opinion
Security Risk Management – Infosecurity.be – 24 march 2011 5
– Delivering a SAS70 opinion
• Board committees– Audit/Finance and Technology/Production committees– Providing governance, amongst other on risk management
• Overseers– Lead by National Bank of Belgium– G-10 worldwide Central banks
Information security risk management framework
PowerPoint Toolkit – 23 October 2008 – Confidentiality: restricted 6
Security strategy principles
• Security tone at the top– Senior leadership, governance, oversight
• No security single point of failure
• Investing in security
Security Risk Management – Infosecurity.be – 24 march 2011 7
• Investing in security– Keep in line with the threats– People, processes, quality management
• Think the unthinkable– Post 9/11, contingency mentality– Plan for the worse, hope for the best
• Failure not an Option– Continuous learning and improvement culture
SWIFT security scope
Data
Application
External
ThreatsExternal
Threats Hackers
Organised crime
Security Risk Management – Infosecurity.be – 24 march 2011 8
Networks
Systems
People
Buildings
Internal
Threats
Service providers
Customers
Terrorism
Information security risk management framework
Where are we ?
Threat
landscape
Changes in business
Incident & Threatmonitoring
Generic security Security
Reporting &escalation
Changes
Changes
Management
Changes in technology & architecture
Security Risk Management – Infosecurity.be – 24 march 2011 9
Generic security
requirements
System/project security
specifications
System/project
implementation
System/project
risk assessment
Security
risk registry
Information classification
Deviation
Risk and actionupdate
Change management & Budgeting
System
deployment
Intrusion
testing
escalation
Deviation
Deviation
Systems/project
Baseline settings
Recurrent
Managementoversight
Information security risk management framework
How did we get there ?At the start: mature organisation
Security classification (BIA)Strong security culture, part of company’s missionStrong SDLC and change management practices Some Intrusion tests
[2007] Having its own dynamicThreat landscape: business, technology, threatsMeasure , feedback and Lessons learned
[2011] EfficiencyFit vs fat securityCommon attack patterns, checklistsWorkflow and reportingOnline repository of service, products classification (250+)
[2008] Raising the barAdapt rating rules and closure horizonWorst case analysis and malicious insiderBenchmarking and preempting project needs
Security Risk Management – Infosecurity.be – 24 march 2011 10
[2003] No surprises on investments: How to protect ?Generic security requirements -> repeatable specificationsCommon understanding across business unitsTransparency to business unitsSecurity costs build in in project investments
[2004] No surprises on threats: Is it enough?Repeatable risk assessments, linked to SDLC, change management, IJointly with business unitsFramework with impact, likelihood, tolerance, IFully endorsed by CIO
[2005] Industrialise: extend breathMore business units coveredMore awareness, more intrusion testsRisk registry, reporting and tracking
Measure , feedback and Lessons learnedFeedback loop on structural security investments
Risk management - internals
Security Risk Management – Infosecurity.be – 24 march 2011 11
Risk identification and assessment
• Security classification
– Simple to understand, Business impact driven : Confidentiality, Integrity , Availability
– Used to define controls to be implemented (deter, prevent, contain, detect, react)
• Risk identification
– Threat landscape, external vulnerabilities, intrusion tests, audit findings, bugs
– Self assessment, proactive assessment
• Risk assessment
Security Risk Management – Infosecurity.be – 24 march 2011 12
• Risk assessment
– Repeatable and consistent
– Impact rating: based on security classification
– Likelihood rating: based on 5 dimensions
• A qualitative mixture of difficulty and motivation of a vulnerability being exploited in light of prevailing threats and surrounding controls currently implemented. It is not a statistical measure of the exploit or breach actually happening. It takes however into account occurrences of similar attacks in relevant outside areas
– Risk rating and risk tolerance
• Worst case assessment
– Malicious insider, distributed DoS, I
– Likelihood -> opportunity (access profile), additional knowledge
– Impact -> Recovery time oriented
Risk assessment
Impact ratings
Classification
Impact ratingConfidentiality Integrity Availability
High Highly Confidential data Essential data
High critical services that cannot be restarted within crisis timer
At least 1 critical customer or more than 50.customers
Security Risk Management – Infosecurity.be – 24 march 2011 13
50.customers
Medium Highly Confidential data Important data
Medium critical services that cannot be restarted within crisis timer
High critical services that can be restarted within crisis timer
At least 1 critical customer or more than 50 customers
Low Confidential data Normal data
Low critical services
Medium critical services that can be restarted within crisis timer
Very low Restricted data Non critical services
Risk assessment
Likelihood rating
KnowledgeEasy, known
Medium, known
Medium, secret
Control
Security Risk Management – Infosecurity.be – 24 march 2011 14
Anyone
Customer
SWIFT
OPC
>5 M$
>1 M$
>100 K$
Any
Threat source
High, secret
ControlInfrastructure
Occurrence
HighMediumLowVery low
Risk mitigation
• Risk mitigation
– Identify and prioritise mitigation: Feeds into change management process
– Joint effort business units/implementation teams and security teams
• Risk acknowledgment and acceptance
• Risk registry and tracking
Security Risk Management – Infosecurity.be – 24 march 2011 15
– Transparency off mitigation
– Risk closure horizon attached to initial risk rating
– Residual risk analysis, Overdue reporting
Risk rating
H
M
Lik
elih
ood
Immediateattention3 6 9
2 4 6Needs
2
1 Severe
Blocking
CRseverity
Riskrating
9
6
Risk Tolerance
Security Risk Management – Infosecurity.be – 24 march 2011 16
Impact
M
L
VL
HMVL L
Lik
elih
ood2 4 6
1 2 4
Needschange
/ 1 2
1
/
/
Severe
Major
Minor
Cosmetic
TypicalMax Possible
6
4
3
2
1
SWIFT – some facts
Security Risk Management – Infosecurity.be – 24 march 2011 17
SWIFT – A customer centric user community
BanksCorporates
InsuranceCompanies
Government Broker-Dealers
Payment Systems
Clearing & SettlementSystems
IMI's
Payments MI's
GovernmentInstitutions
Trustees
Broker-Dealers
Depositories
Stock Exchanges Securities MI’s
18Security Risk Management – Infosecurity.be – 24 march 2011
3,8 billion messages per year
8,830 customers
209 countries and territories
SWIFT figures
209 countries and territories
Over 2,000 employees
Average daily traffic 15.3 million messages
Last peak day – 18,9 messages million messages – 1st March 2011
19Security Risk Management – Infosecurity.be – 24 march 2011
AMERICASAMERICAS EMEAEMEA ASIA PACIFICASIA PACIFIC
New York
Miami
San Francisco
LondonStockholm
Frankfurt
ZurichParis
MilanMadrid
Vienna
HQ La HulpeHQ La Hulpe
Seoul
TokyoBeijing
SWIFT Offices around the world
Security Risk Management – Infosecurity.be – 24 march 2011 20
Sao Paulo
Miami MilanMadrid
Dubai
Johannesburg
Sydney
Shanghai
Hong KongMumbai
Singapore
Q&A
?Security Risk Management – Infosecurity.be – 24 march 2011 21
?
Thank you
Security strategy - evolution process
Security
Council
Security & ReliabilityCommittee
Technology & ProductionCommittee
Changing environment• Threats• Technology• Commitments – KPI
Assessment• Risk assessment• Technology evaluation• Business case• Management oversight
Changing environment• Threats• Technology• Commitments – KPI
Assessment• Risk assessment• Technology evaluation• Business case• Management oversight
Security Risk Management – Infosecurity.be – 24 march 2011 23
Risk tolerance Risk acceptance vs Risk mitigation Balance Cost / Risk
• Commitments – KPI• Legal & oversight• Business strategy• Benchmarks• Intrusion tests• CPR - PIMRs
Actions• New initiatives• Improvement programmes(control definition, control execution)
• Commitments – KPI• Legal & oversight• Business strategy• Benchmarks• Intrusion tests• CPR - PIMRs
Actions• New initiatives• Improvement programmes(control definition, control execution)
