Upload
titus-coffey
View
230
Download
1
Tags:
Embed Size (px)
Citation preview
Supporting Supplier Security Compliance
Ian Lawden
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Context
• Over 20 Million Customers.• 5.9 million working age benefit claimants.
• 479 thousand people claiming Employment and Support.• 2.61 million working age claimants of ESA and incapacity
benefits. • 692 thousand lone parents claiming Income Support (IS).• 4.75 million people claiming Housing Benefit, with 5.78 million
claiming Council Tax Benefit.• 12.7 million people of state pension age claiming a DWP benefit.• 12.5 million claimants of State Pension (SP)• 3.68 million people had started on a New Deal programme up to
(May 2010).
2
All figures accurate at February 2010 unless otherwise stated
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Organisation
3
Ministers prioritise customer need/outcome
Client Groups
Local Authorities
Private and Voluntary
Sector providers
Jobcentre PlusThe Pension Disability and
Carers Service
Pension Protection
Fund
Personal AccountsDelivery Authority
Health & Safety Executive
Child Maintenance and Enforcement
Commission
Customer need/outcome metIT
FinanceChange Programme
CommunicationsCommercial
LegalHuman Resources
Policy and Commissioning Function
DeliveryCorporate Functions
May 2009
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Organisation Vision – Recognition of need for IA
4
Vision• To deliver the IT Service for Citizens that will make a positive difference to their lives.
Mission achieved by:• Constantly looking for ways in which our IT systems and services can improve our service to
our customers, while recognising also the absolute need to safeguard and keep secure the data which we hold on them;
• Listening to, understanding and responding to the IT needs of our people and our customers;
• Strengthening working relationships with the businesses and our suppliers to improve performance and deliver added value across all our IT systems and services;
• Innovating across organisational boundaries to provide a fast, efficient and seamless service, helping to deliver both the Department’s Business Strategy and the Government’s Transformational Government Strategy;
• Exploiting new technology to deliver solutions which are both sustainable and accessible to all;
• Growing the capability of our people by underpinning all our activity with professional competence, enhanced through training, research and reference to best practice; and
• Participating and acting with integrity in a manner that demonstrates the Department’s values and upholds its reputation.
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Corporate Framework supported by Best Practice
5
ITIL Service Management Process
Service Support Service Delivery
IncidentManagement
ProblemManagement
ChangeManagement
ReleaseManagement
ConfigurationManagement
Service LevelManagement
FinancialManagement
CapacityManagement
IT ContinuityManagement
AvailabilityManagement
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
ITIL & Security
ITIL (v2) based: -
“The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL Security Management is based on the code of practice for information security management now known as ISO/IEC 27002.
A basic goal of Security Management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.”
[There is] Mounting pressure for many organizations to structure their Information Security Management Systems in accordance with ISO/IEC 27001 this requires revision of the ITIL v2 Security Management volume, and indeed a v3 release is in the works. [now in place].
6
Courtesy of Wikipedia
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Contention?
• Incident Management: User up and running
quickly
• Problem Management RCA and Correct
• Change Management Standard Methods and
Procedures
• Release Management Holistic View and
forward plan
• Config’ Management Strong asset control
7
• Security Management Preserve Evidence for
Forensic Investigation
• Security Management Synergy
• Security Management Threat Identification and
Emergency response
• Security Management Focus on Vulnerability
reduction/removal
• Security Management Synergy
Service Support
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Contention?
• Service Level Mgmt: Agree, monitor, report
• Financial Management Supports business
Objectives
• Capacity Management Demand Management
for business objectives
• IT Cont’y Management Recovery within agreed
timescales
• Availability Management Customer satisfaction
equates to ‘up time’
8
• Security Management Synergy
• Security Management ‘Security’ not seen as
business objective
• Security Management ‘Security’ not seen as a
business objective.
• Security Management Preserve Evidence for
Forensic Investigation
• Security Management System availability for
maintenance (patching)
Service Delivery
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
9
Accountability & Outsourcing – the ‘owner’ of the data is still expected to respond to and resolve problems …
“Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing.”
The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The Conservatives described the incident as a "catastrophic" failure.
UK Families put on Fraud Alert
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
10
Media and Public Interest – still a newsworthy subject
Details of data all security breaches
Whether personal information is on contractor disks
Details of the contractor who mislaid disks etc
Details of breaches of citizens' personal details
USB Flash etc drives lost in previous 12 months
Various lost laptops, PDAs, mobiles, blocked internet sites, staff disciplined, USBs, and iPods.
Number of laptops and memory sticks lost or stolen in last 5 years
Various questions relating to IT security training
Lost broken devices, deletion processes, and other issues
Information relating to the theft and loss of DWP laptops and mobile over the last two years
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
11
Organising your security relationships and structure
DWP Security Community
INFORMATION SECURITY ASSURANCE
Vistorm Professional Services
IMPROVED SECURITY POSTURE
Solutions
Consultancy
Technology
Vistorm Professional Services
Vistorm Security Management
Threat and Vulnerability Management
Security Risk Management
Service Delivery Management
Technical Account Management
SIaM
Incident
Problem
Change
Capacity
SLM
Config
Supplier
Vistorm Managed Services & Support
Vistorm Solutions Centre of Excellence
Vistorm IA Platform
Leve
raged
Capabilit
y
DSTSecurity Policy,
Standards & Processes
CITIT Security Strategy & Enterprise
Architecture
CITOperational
Security
Exte
rnal O
rganis
ati
ons
HMG Policy, Standards & Guidance
Benchmarking, Experience, Best Practice
Process Interfaces
Commercial Engagement
Service Tower ProvidersCompliance Monitoring
ED
S H
ost
ing
ED
S D
esk
top
ED
S A
MS
ED
S A
pps
Dev
ED
S S
IaM
Acc
entu
re
Ato
s O
rigin
BT
Cap G
em
ini
Capit
a
Fujits
u
Xero
x
Security Requirements
VistormProduct
Portfolios
Security Requirements & Proposals
Commercial Engagement
SECURITY POLICIES, STANDARDS & PROCESSES
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
12
High Level Roles
Business
‘Retained’ Service Integration and Management’
Consumers of Security Services
Policy & Operations
Outsourced SIaM Security Professionalism
Client
Integrator
Integration
Su
pp
lier
Supplier (Tower Security
Capability)
Su
pp
lier
Su
pp
lier
Su
pp
lier
Su
pp
lier
Su
pp
lier
Oth
er
Pe
rfo
rmin
gS
up
plie
rs
Net
wor
k
SIa
M
Des
ktop
App
licat
ion
Dev
elop
men
t
App
. S
uppo
rt &
m
aint
enan
ce
Hos
ting
Oth
er s
ervi
ces
May be supported by Security
Experts, e.g. Vistorm
Security Roles
Tower
(service)
ServiceTower Provider
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
13
HMG IT Security (phase 2)
Certification – need for professionalism across the operating model“Speaking a common and professional language”
CA certified security
administrator
Certified Ethical Hacker
Management of Risk
ITPC
Certified penetration testing
specialist
NICE (Network Intelligence Certified
Engineer)
Sun certified systems
administrator
MCSE
MCSA
WiFi Networks Certified
Professional
HMG IT Security (phase 1)
MCSE Security
MCSA Messaging
SCNS (Tactical Perimeter Defence)
CISM
Checkpoint certified security
administrator
CLAS
ISO27001
CISSP
MCTS
IT Forensics
ITILCISA
ISO9001
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
14
DesignSupport
StrategicSupport
Design&
Build
IT Security Architecture
Enterprise architectureSecurity strategy
InnovationHorizon scanningCross government
IT Security Design
Security Design AuthorityPattern / product selection
Bus lead for security incidentsArchitectural compliance
Advice / guidance AD designKnowledge management
IT Security OperationsManagement
Supplier AssuranceCompliance Assurance
Risk ManagementSecurity Incident Management
Audit ProgrammeSecurity Reporting
Accreditation Aftercare
OperateVision
&Strategy
Project Requirements
Security Capability Value Chain
<<< Feedback & Influence
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
15
Roles and Responsibilities – Outsourced Supplier Management Capability
• Coordination of security activities across supplier community • Risk management services • A security incident logging, investigation and management service• Security assurance & accreditation management• Security audit & compliance reviews• Security policy & awareness services• Threat & vulnerability response services• Security service management and reporting.
Provide:
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
16
Internal IT Security Operations Management role:
• Provide assurance that Service Tower providers and SIaM are compliant to security policies
• Monitor supplier performance in relation to their security obligations
• Management of necessary cross supplier and business processes (Security Waivers and Exceptions)
• Provide IT security guidance to internal operational staff and IT Support staff
• Production and approval of security bulletins and notices• Progressing business IT security issues• Act as centre of excellence with SIaM on all operational IT
security matters
Roles and Responsibilities – Retained Capability – Managing the Manager
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Functions
Supplier Assurance
Compliance Assurance
Risk Management & Audit
Security Incident Management
Security Reporting
Accreditation Aftercare
17I've a horrible feeling I'm under surveillance.I've been looking at Google Street View and the same van has been outside my house for days now.
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Networks
Desktop
Data Centre Maintenance Development
PerformanceReview
PerformanceReview
PerformanceReview
PerformanceReview
PerformanceReview
Performance Management
DashboardDashboard
S u p p l i e r P e r f o r m a n c e I n d e x
Desktop
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Establishing and identifying Compliance Controls:The Service Integrator and Manager Perspective
19Complete Information Security
There must be an overarching information security framework: The lack of such a framework, aligned with strategic business objectives, leads to a disjoint in delivery priorities, & the possibility for over-developed or inappropriate security control
For Government Departments, in addition to ensuring compliance with HMG security requirements, adoption of such a framework:
improves engagement with both IT & non-IT supplier organisations, who generally state compliance or certification against ISO27001 & who therefore understand the requirements of it,
simplifies future development & implementation of delivery solutions & services through effective, pragmatic security risk management,
enables the updating of security policy & guidance in response to changing threats and business needs,
improves communication with those responsible for implementing security controls more efficiently.
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Policing Compliance ControlsThe Service Integrator and Manager Perspective
20Complete Information Security
• Automated v Manual
Control Pros Cons
Automated/Technology
Consistency of analysisSpeed of applying rules and measuresReduces error rateEnhanced data mining/analysis/correlation capability24/7/365 high availability operationCan enforce compliance
Cost of base lining rules and measuresCritical dependence on hardware/softwareInteroperability of productsCan introduce vulnerabilities TrainingVendor enthusiasm to act as a VAR rather than a true security solution provider
Manual/Process
Understanding of problems and coping with variance/idiosyncrasiesCan provide for cost savingsCapable of analysing the situation to manage business reputationThinking outside the boxUnderstanding the implications of decisions
Dependencies on specific resourceCostly for 24/7/365 manual operationsCompliance not enforcedManual information management Potential for increased error
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Risk Management & Audit
21
• Implement or aim for a consistent approach across all suppliers.
• Ensure that Risk Management is seen as a basis for all decisions by including reference in meetings and forums and workshops,
• Tie Audits into the Risk Management process
• Ensure that risks are articulated in simple but specific language and at not too high a level & that the risk is real – and the mitigation is proportionate and effective!
• Regularly and formally review Risk Management processes and procedures ensuring holistic approach across organisation.
Why did the chicken cross the road? It was trying to get a signal on its iPhone 4.
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Incident Management & Reporting
Awareness is key including consistency across staff and suppliers ...
Share Messages,
22
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
IT Security ReportingShowing Value by reporting reduced Vulnerability
23
Top of the Office
IT SecurityAwareness
SupplierPerformance
SystemsDefence
RiskManagement
Capability
Greater IT Security Awareness
Increased Supplier Performance (or reduced non-compliance)
Hardened, bolstered and tested Systems Defence
Proportionate, Holistic and Effective Risk Management
Capability that matches the challenge
Outcome
Impact
Activity
Overarching Security Service Improvement Programme
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
Accreditation Aftercare
• Monitor accreditation activity and Accreditation after care, ensuring systems are used within the Accreditation scope, and that changes are notified where appropriate. (Problem Management?)
• In particular assurance that the Accreditations for infrastructure services are up to date and that all necessary activities are under control. (Service Level Management).
• Identify DWP information systems (Configuration Management?) and ensure Accreditation procedures are adhered to. (Supported by Audit)
24Is it just me, or would you kill for the kind of download speed that girl from the piracy ad's is getting?
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
25
Persistent Internal Challenges and Opportunities
•Need to identify and maintain relationship with business IT Security Stakeholders• (Single Points of Contact)
•Diverse business scenarios within large organisations (one size may not fit all):oMultiple locations,oDiffering operating models,oInconsistency in IT Security ExpertiseoAccountabilities unclear.
•Internal Identity and Access Management - Local Installer Rights and Privilege users detracting from ‘defence in depth’ strategy:oEnd User Computing
oDefinition!oDemands for local or flexible storage of data,oUse of unapproved tools and techniques and inappropriate developments,oLack of expertise in using standard tools,oIntroduction of unauthorised software,oIntroduction of unauthorised devices,oUse of ‘ready to go’ Internet services.
•User Awareness: -oPhishing Attacks,oSpam,oSocial Engineering
•Drive to provide access to Social Networking
My mate Sid was a victim of ID theft - He's just called ‘S’ now.
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
26
• Privilege users in the supplier community: -• Local,• Off Shore• Remote Access
• Provisioning and De-provisioning (Identity and Access Management),• Flexibility and Agility versus control and stability,• Economic climate – continuity of supply,• Evidencing Independence,• Commercials and integrating compliance,• Suppliers collaboration (or lack of it),• Patching and maintenance against availability and risk,• Enforcing standard Change Control,• “It’s all about the contract!
Just found an absolute bargain on EBay - Some bloke in Nigeria is selling army dog tags inscribed with your name, national insurance number, bank account and sort code details free of charge. Get in there quick!
Persistent Supply Chain Challenges and Opportunities
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
27
Successes and Advantages
• Access to Thought Leadership, Innovation and Industry Research,• Ability to resource fluctuations in demand (e.g. Accreditation & related
activities)• Ability to identify cross-supplier trends and issues (IAM for example) • Application of Industry Standards and techniques (Patch Management),• Ability to manage large amounts of security compliance information from
across suppliers operational processes and technology, and drive cost effective continuous improvement (e.g. roadmap, incident management processes)
• Independent, integrated view of operational security risk• Fixed price service measured via SLAs – driven down security resourcing
costs
Sec
urity
Ope
ratio
ns M
anag
emen
tS
ecur
ity O
pera
tions
Man
agem
ent
28
Key Messages
• Recognise that suppliers are in existence to make a profit and, therefore, ensure that you (and your supplier) understand what your priorities are and who is accountable, - does your desire to protect your business align with the suppliers business plan?
• Continually stress and demonstrate by actions and deeds that, where you have outsourced the management of suppliers, the ‘integrator’ is your agent and is acting on your behalf – they must be afforded the same access and cooperation as you yourself,
• Collaborate with your supplier in establishing and refining process definitions with clear ‘hand off’ points,
• Understand the end to end supply chain to flush out any ‘unexpected’ and potentially unpalatable elements (such as off shore activity),
• Ensure communications are consistent across all suppliers - and this is another opportunity to emphasise the support for your supplier,
• Ensure that security clauses in IT contracts mandate your suppliers to cooperate with your integrator,
• Where possible, ensure consistent methodologies for risk management, patching, etc,
• Ensure Availability and up time promises to the organisation are consistent with the need for essential (including unanticipated) system maintenance,
• Bake in compliance activity as well as technical security measures when developing systems.
• Don’t panic or set hares running – things are not always as bad as they first appear – but, you can soon make them that bad (or worse) through inappropriate responses!
I got a second e-mail this morning from a Nigerian bank offering me £10m if I give him my bank details.What luck! I'm going to be back in credit after the first one wiped me out!