View
231
Download
0
Category
Preview:
Citation preview
A Holistic Approach to Protecting and Securing Enterprise Information
Meenu Gupta, CISA,CISM,CISSP,CIPP,PMP ISACA, COBIT 5 Security Taskforce President, Mittal Technologies Washington, DC
1
Agenda
• Managing Business Information
• Challenges, Risks, Realities
• Solutions, Mitigations, Visions
• Information Governance vs Management
• Best Practices
2
History of Information
3
As a general rule, the most successful man in life is the man who has the best information. Benjamin Disraeli We are more thoroughly an enlightened people, with respect to our political interests, than perhaps any other under heaven. Every man among us reads, and is so easy in his circumstances as to have leisure for conversations of improvement and for acquiring information. Benjamin Franklin …knowledge has become the central, key resource that knows no geography. Peter Drucker Information technology and business are becoming inextricably interwoven. I don't think anybody can talk meaningfully about one without the talking about the other. Bill Gates
So, What’s the Problem?
4
EPA security breach exposes personal information of 8,000 people
The recent data breach at Massachusetts Eye and Ear Infirmary (MEEI)……
In the wake of a massive security breach on the business networking site LinkedIn, which resulted in the leaking of roughly 6.5 million user passwords……
The U.S. Federal Trade Commission has filed a lawsuit against hotel chain Wyndham Worldwide….
Managing Business Information
Challenges, Risks, Realities
•Inappropriate disclosure •Lost •Stolen •Held for Ransom •Destructive •Fraud
11
Challenges, Risks, Realities
1. Lack of accountability 2. Carelessness 3. Lack of Awareness 4. Malware Infection 5. Hacking 6. Fraud 7. Improper Disposal of Equipment
12
Challenges, Risks, Realities
13
Top Management Challenges Facing the Department of Transportation – OIG Report, March 2012
“To prevent unauthorized access to PII, OMB requires agencies
to reduce the volume of and restrict access to information
collected and maintained, as well as implement other security
controls, such as encryption.
….
However, until these measures are implemented, the
Department’s systems remain vulnerable to exploitation. For
example, our ongoing audit of the United States Merchant
Marine Academy’s (USMMA) network identified and exploited a
critical vulnerability providing full access to the network,
including databases containing sensitive midshipmen
information. “
Challenges, Risks, Realities
14
Recommendations on technical implementation guidelines of Article 4 - ENISA
Malcolm-Baldridge National Quality Award Nestle-Purina (2010)
16
www.NIST.gov
4.2 Management of Information, Knowledge, and
Information Technology
a. Data, Information, and Knowledge Management
(1) NPPC uses a multi-faceted approach to ensuring the
integrity, accuracy, timeliness, and security of our
performance data.
Malcolm-Baldridge National Quality Award Bronson Methodist Hospital(2005)
17
www.NIST.gov
In 2005, BMH dedicated over $28 million to capital
investment, more than 7 percent of total budgeted
expenses, in information technology, equipment, and
facilities.
In addition, the system allows physicians to provide
patient care from off-site locations by accessing patient
information through a secure Internet connection.
Best Legally Compliant Programs
• View Information as a key organization asset
• Understand the “Information Life Cycle”
• Not just “Manage” information, but “Govern” it.
• Find an approach that supports compliance with relevant laws, regulations, contractual agreements and policies
19
Best Legally Compliant Programs
Will have:
• A unified approach to addressing data breaches
• Best practices, policies and procedures in place
• Effective technical measures in place
• A thorough understanding of various regulations
• A good grasp on data breach trends and statistics
• A good notification plan in place
20
Information a Key Asset
• Information Inventory
• Information Classification
• Information Valuation
• Information Stewards/Stakeholders
• Information Goals
22
Information Management Activities
• Information Management Plan
• Information Architecture
• Information Security
• Information Risk Profiles
• Information Risk Management
• Information Management Policies and Practices
• Information Audits
24
Information Governance vs Management
• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
25
– COBIT, COBIT5
– The Business Model for Information Security (BMIS), ISACA, USA, 2010
– The 2011 Standard of Good Practice for Information Security, Information Security Forum (ISF), UK, 2011
– Common Security Framework (CSF), Health Information Trust Alliance (HITRUST), USA, 2009
– Extended Basic Input/Output System (EBIOS), Direction Centrale de la Sécurité des Systèmes d’Information
(DCSSI), Ministry of Defense, France, 2000
– Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for
Economic and
Clinical Health (HITECH), USA, 1996 and 2009, respectively
– ISO/IEC 27000 series, Switzerland, 2009-2012
– National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Guide
for Assessing
the Information Security Controls in Federal Information Systems and Organizations, Building Effective SecurityAssessment Plans, Department of Commerce, USA, 2010
– Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®), Carnegie Mellon Software
Engineering Institute (SEI), USA, 2001
– Payment Card Industry Data Security Standards (PCI DSS) v2.0, PCI Security Standards Council, USA, 2010
28
Best Practices
COBIT 5 Information Security Enablers
• Principles, policies and frameworks enabler
• Processes enabler
• Organisational structures enabler
• Culture, ethics and behaviour enabler
• Information enabler
• Services, infrastructure and applications enabler
• People, skills and competencies enabler
29
COBIT 5 Enabler Model - Generic
30
www.ISACA.org COBIT 5 for Information Security
COBIT 5 for Information Security – Information
31
www.ISACA.org COBIT 5 for Information Security
Detailed Guidance – Information Types
32
www.ISACA.org COBIT 5 for Information Security
33
Detailed Guidance – Information Roles
www.ISACA.org COBIT 5 for Information Security
34
Detailed Guidance – Culture & Behavior
www.ISACA.org COBIT 5 for Information Security
Recommended