Compliance management u bankarstvu tsiem - nina ugrinovska

PRESENTATION TITLE:Compliance Management u bankarstvu - TSIEM

PRESENTER’S NAME:Nina Ugrinoska

Agenda

• Problemi i inicijativa

• Sigurnost podataka - regulativa ili potreba

• Priprema, analiza rizika, izbor produkta

• TSIEM (Tivoli Security Information and Event Management)

• Definisanje procesa, privilegija i odgovornosti

• Sta obuhvatiti, koje rezultate ocekivati i alerting

• Implementacija, testiranje I konsolidacija

• Operativni rad, razvoj I unapredjenje sistema, reporting

• Summary : Dali smo sigurni da smo sada SIGURNI?

• Q & A

Problemi i inicijativaAwareness

-How would you stop the flood?

Communication is vital

-Hi, I came to ask you about the M procedure.

-M procedure?!

-Yes. The procedure you wrote about M.

-Oh, that M procedure. Yes there is an M procedure.

-Can I take a look at it?

-Yes, it is on public file server.

-Could you please give me some details? Number, name, folder?

-Oh, wait... it is here somewhere...

no... maybe here... ...

Hey guys who wrote the M procedure?

Maybe Nick... Where is Nick?

- Never mind, sorry to bother you, bye.

Problemi i inicijativa

• Transformation of organization

• - Business process

• - Corporate culture (International and multicultural)

• Myths about IS

• - It is too expensive! (Can we afford it?)

• - IS = IT Security

- Many security problems can’t be solved with technology.

- It happens to somebody else

- “More than 30% of those polled by the National Cyber Security Alliance (NCSA) think they'll take a

bolt of lightning through the chest before they see their computers violated in an Internet attack.”

- “I’ve got brand new, 10000$ firewall system. I’M SAFE!”

- 90% of security breaches are results of bad configuration

- 70% of security breaches may come from inside

- Common sense, not a rocket science!

• - Cool! I wrote it so everybody knows it!

• - If they sign the policy when they get hired, they will remember it always.

• - Employees think about information security policy before they go to sleep.

Problemi i inicijativa

2010 Top Security Threats

1. Cyber/Communication Security: Internet/Intranet Security

2. Workplace Violence Prevention/Response

3. Business Continuity Planning/Organizational Flexibility

4. Employee Selection/Screening

5. Unethical Business Conduct

6. Crisis Management and Response: Political Unrest/Regional Instability/National

Disasters

7. Property Crime

8. General Employee Theft

9. Travel Security

10. Fraud/White-Collar Crime

Sigurnost podataka (Information Security) – regulativa ili potreba

“Information is the result of processing, manipulating and organizing data in a way that adds to the knowledge of the person receiving it.”

“The security of a system is the extent of protection against some unwanted occurrence such as the invasion of privacy, theft, and the corruption of information or physical damage.”

“The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.“

“Protection of information for confidentiality, integrity and availability.”

"4 P's" of security: People, Policy, Process and Product.

Compliance with obligatory legislatives and accepted standards

Risk mitigation

ROI Business damage

Ensure BC&DR


There is a risk in any usage of information system

Every manager developing or using IS should understand the risks and steps involved in risk aversion to confront them.

News and magazines are covered with stories about hackers and viruses. But there is little or no detail about companies suffering from the attacks or profit losses because of IS breakdowns.

Term “Information security” has different meaning for different people. For vendors security is a product, for many organizations it is something IT manager must take care of, for most of the users it means involuntary limits of what they can do with the corporate computers. All of these views are dangerously narrow.

Information's are the heart of modern economy. Confidentiality, integrity and availability of these information's are fundamental for any organizations' survival in the market.

We can not predict when, where, what, how and how long will be attacked, but when it happens we must be ready and willing to defend from the attack.


ADVICE

Draw on the right expertise to understand the security threats you face and your legal responsibilities

Integrate security into normal business practice, through a clear security policy and staff education

Invest appropriately in security controls (to mitigate risks), or in insurance (to transfer them)

Check your key security defences (such as operating system patches, disaster recovery plans, etc.) are robust and up to date.

Respond to security incidents efficiently and effectively, to minimise business disruption.


No information system is immune to cyber criminal.

Each and every organisation will experience, one or more, disruptions, misuses or attacks.

Disasters can and will happen. Discontinuity is not an option in doing business. Recovery is always costly and takes time. There is always an option of permanent data loss.

Theft or loss of business plans, client data, contracts, intellectual property, project design and industrial technology may deliver long term financial damage to the organization.

Information system resource misuse has direct financial impact.

Privacy can be compromised and company would be subject to legal measures.

Reputation can be destroyed. Organizations that are unable to protect the privacy of the staff and client information will suffer the penalties and pay the fines. Partnership relations will be damaged, brand and public image will be shaken.

Question is not whether we can afford our defence, it is whether we can afford not to defend against information security threats.

There is no security without business requirement.

Better safe than sorry!


SUMMARY

Incidenti

Rizici

Privilegirani korisnici

Heterogena struktura

Forenzik i menadzerski zahtevi

Revizorski izvestaji

Supervizorski izvestaji Centralne Banke

Regulativa Centralne Banke

Ostali regulatorni organi

Priprema, analiza rizika, izbor produkta

• Analiza rizika (risk assesment) – osnova za

implementaciju sigurnosti

• Menadziranje rizika (risk management & risk

threatment )

• Implementacija kontrola

• Prihvatanje rizika (risk acceptance)

• Prenos rizika na druge subjekte


• Projektni Tim – Information Security Officer, Risk Officer,

Compliance Officer, IT Manager, Internal Audit, Controling

Officer, Top Management, Middle Management……

• Definicija zahteva i potrebe za kontroliranje odredjenih

sistema

• Definicija sistem ownera za kontrolu za svaki sistem

• Definisanje privilegija u odnosu koriscenje sistema

• Postavljanje zahteva za tender

• Velika razlika u Log Management Produktima

• Evaluacija dobijenih ponuda

• Izbor produkta koji zadovaljava sve zahteve


Zasto IBM Tivoli Securitu Information and Event Management?

• Odgovarao je nasim zahtevima

• Tim strucnih konsultanta

• Reference u bankarskim sistemi

• Implementacija i support

• Post produkciski support

• IT alati

• Compliance izvestaji

• Forenzik

• On-line interakcija

• Ostali produkti na trzistu

TSIEM Tivoli Security Information and Event Management

TSIEM

Struktura normalizovanih logova W7 Metodologija

TSIEM

TCIM – Tivoli Compliance Insight Manager

• TCIM – Tivoli Compliance Insight Manager –

Windows Server so DB2

• Cuva raw logs koji su potpisani u depo

• Proces normalizacije i cuvanje u DB2

• GEM (generic event module) za srodne baze logova

• Radi sa agentima koji se instaliraju na serverima

• Kolektori

• Podrzani produkti – Microsoft produkti, Check Point,

Cisco ….

TSIEM

• Razlicni event source (jedan device moze imati

vise event source)

• User information source (AD)

• Srodni event source sa razlicitih device idu u

istu bazu

• Router and switch – syslog server events

• Politika za svaku bazu (na nivou baze)

• Self audit TSIEM baze

TSIEM

Event Source View

TSIEM

Dashboard

TSIEM

Reports

TSIEM

Reports

Definiranje procesa, privilegija i

odgovornosti

OO + NT = EOOBusiness process reengineering

Definiranje procesa, privilegija i odgovornosti

Business Model for IS



Organization Design / Strategy

• Organization is a network of people interacting with each other - contains

interactions between people & elements (it drives culture, governance &

architecture). IS as a component needs to map to the whole organization

• Strategy specifies the goals & objectives to be achieved as well as the

values & missions to be pursued. (business formula for success, setting

the basic direction).

• Design relates to the formal organization structure



Process

• Includes formal & informal mechanisms to get things done

• Provides vital link to all of the dynamic interconnections

• Process is designed to identify, measure, manage, & control risk,

availability, integrity & confidentiality, & to ensure accountability

• Can be COBIT; ITIL; ISO27002 or a combination

Technology

• Organizational Infrastructure

• Tools that make processes more efficient.

• Used to meet organization’s mission

• The ‘glue’ for IS issues



People

• Represents the human resources & IS issues that surround them

• Collective of human actors inc. values & behaviors

• All whose efforts must be coordinated to accomplish the organization’s

goals

• Not just units of “one” since each individual comes with all their

experiences, values, etc

• Need to harness ‘human intelligence’


odgovornosti • Lista servera, produkta i uredjaja za logiranje

• Odgovorni zaposleni za pojedine sisteme (system owners) i njihove

privilegije

• Odgovornosti za dnevne ili periodincne taskove na Log Management

sistemu

• Usaglasenost za internim politikama i procedurama

• Business Continuity & Disaster Recovery

• Definiranje inicijalnih politika I grupa:

• Podela na grupe : korisnici, administratori, srodni serveri, srodne

aktivnosti….

Korelacije izmedju odredjenih sistema

Policy Rules – gde daje alert na “policy exception”

Special Attention Rules – gde daje alert kada se dogodi definisana

aktivnost


odgovornosti


Grupiranje u TCIM

Sta obuhvatiti, koje rezultate ocekivati,

alerting

• Koji sistemi nas interesuju

– DB

– aplikacije

– OS

– devices

– desktop

• Koji eventi sa sistema

– Tipicni

– Netipicni

• Kako reagirati na odredjene evente

• Koji su incidenti za koje treba postaviti alert

• Kakve rezultate ocekivati od Tivoli-ja

• Bez prethodnog definisanja potreba, nemozemo ocekivati zeljeni output

Implementacija, testiranje I konsolidacija

• Implemetacija u saradnji sa vendorima na bazi nasih

zahteva

• Best practice

• Definisanje svih politika

• Instalacija agenta na sistemima

• Izrada tehnicke dokumentacije

• Izrada korisnicke dokumentacije

• Testiranje sistema, dali se dobijaju zeljeni rezultati I

alerti

Operativni rad, razvoj i unapredjenje

sistema, reporting

• Dediciran full time job position

• Odrzavanje sistema, redovni bekapi,

availability sistema

• Razvoj i dopuna politika prema potrebama

izvestajnog dela

• Uciti na greskama definicija grupa, politika,

alertinga

Operativni rad, razvoj i

unapredjenje sistema, reporting

• Forenzicke analize

• Implementiranje novih zahteva

• Definicija izvestaja

• Compliance izvestaji

• Custom izvestaji

• Adhoc izvestaji

Kako resiti sigurnost i regulativu?!?!

Trust

(Pray)

Open source

(Is it really free of charge?)

Commercial

(OK, How many zeroes?)

Outsource

(“I’m Winston Wolf, I solve problems.”)

Summary : Dali smo sigurni da smo sada

SIGURNI

• Dali nam je Tivoli resio probleme?

• Ili nam generirao nove?

• Uz implementaciju Tivolija smo naucili da je

osnova sigurnosti detaljna analiza biznis

procesa (organizacije, zaposlenih i

tehnologije)

• Sa implementacijom Tivolija smo unapredili i

struktuirali celokupno poslovanje.

Q & A