Upload
billy82
View
462
Download
1
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Jovan Miladinovic, [email protected]
www.scienton.comISO17799 User Group
www.scienton.com/7799ug/
Data Protection 2003Belgrade, December 2003Data Protection 2003Belgrade, December 2003
Information Risk Modeling
Information Risk Modeling
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Scienton Differentiator Facts
Scienton Differentiator Facts
Patented Methodologies & TechnologiesInformation Security Model™Trust Model Router™
The first company in the world to Develop and use Information Security Model™ to map governance standards with real life infrastructureUse Information Security Model™ for standard compliance measurement
The first company in North America toBecome an associate consultancy of British Standards Institute
The company to implement governance Basel II, Sarbanes-Oxley, PIPEDA, OSFI, GLBISO17799, CobiT®, ITIL, ISO21827, ISO13335, GASSP
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Corporate Governance(Basel II, Sarbanes-Oxley, HIPAA, PIPEDA, GLBA)
Corporate Governance(Basel II, Sarbanes-Oxley, HIPAA, PIPEDA, GLBA)
Mgmt System & Governance ControlsMgmt System & Governance Controls
Scienton Governance &
Information Strategy
Scienton Governance &
Information Strategy
ISO17799(BS7799)
COSO, COCO
Real Life Enterprise Information StructureReal Life Enterprise Information Structure
Information Security Model™(objective, standardized, quantifiable, repeatable risk and audit)
NSAInfosec
Assessment
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Dynamic objective risk based Information Governance approach using the Information Security Model™
Practical, achievable, essential practices and policiesReliable, standardized, repeatable and quantifiableDefensible and intrusion responsive systems
Implement security during the business process development to achieve measurable:
Cost effective security implementationCompliance to legislations and standardsLow operation and management costUse security as business advantage and generator
Scienton modeling adequately protects one’s
information
Scienton
Information Governance Approach
Scienton
Information Governance Approach
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Corporate Governance(Sarbanes-Oxley, HIPAA, PIPEDA, GLBA, FIPPA)
Governance Standards Translation & ISM™
Position
Governance Standards Translation & ISM™
Position
Information Security Model™
Information Infrastructure
Information Risk Modeling
SecurityStrategy
Information Security Modeling
Mgmt. System & Governance Controls
ISO17799 (BS7799)
NSA Infosec Assessment
COSO, COCO
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Threat Risk Assessment & Security Strategy Challenges
Information Security Model™ Motives
Threat Risk Assessment & Security Strategy Challenges
Information Security Model™ Motives
Security Strategy & Risk Assessment?
All business management standards ISO*****, CobiT®, NSA, NIST, CC,
CSE & RCMP require Risk Analysis.
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Security & Risk Mystified – Difficult to comprehendCompleteness of security implementationNo single, simple and visual model to help implement information risk & securityCorporate governance & IT are not connectedComplex technology & information add to the problemCompleteness of Audit & Risk
Security & Strategy Challenges
Security & Strategy Challenges
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Complexity of information risk & security mgmt.No model to measure corporate governanceISO 17799 and CobiT® are disconnected with information infrastructureNo model and tool to maintain the risk & security in constantly changing IT
Security & Strategy Challenges
Security & Strategy Challenges
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Risk Analysis & Management Challenge
Risk Analysis & Management Challenge
Costly to perform Not easily repeatableCompleteness – Business & IT goals are not the sameLargely qualitative, subjectiveNot StandardizedNo methodology or a modelIs risk model defensible – TRA mitigation techniques not implemented
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Information Security Model
Information Security Model
F(ITE,ISC, ISA)
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Information Security Model
Information Security Model
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Information Assets per ISM™
Information Assets per ISM™
Information Assets – Information Structure
Automated ISM™ Discovery modulesIntegration with management tools (HP OpenView, Tivoli, Unicenter)
ManualAdding corporate tangible and intangible assets
Audit Information
Automated ISM™ vulnerability and policy audit modulesIntegration with security tools (NetIQ, Tivoli, CA eTrust, BMC Control-SA, Patrol)ISM™ audit against NIST, SANS, CSI best practices
ManualPeople audit, physical audit
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Information Asset per ISM™ (cont’d)Information Asset per ISM™ (cont’d)
PhysicalFacilities (building, intruder alarm etc.)Office (contract, SLA, MOU, File Cabinets)
Network (Switch, Router)Systems (W2K, Unix, MVS)Databases (Oracle, Sybase)Applications (ERP, Web)Users (Employees, Contractors, Partners)
Add Asset Value0-1VH, H, M, L$$$$ value
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Threat ProfilesThreat Profiles
Threat Profile Loss of
ConfidentialityIntegrityAvailabilityAccountability (non-repudiation)Privacy
Add Impact FactorInformation owner business process valueCorporate image
Threat Profile Creation
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Threat Profiles (cont’d)
Threat Profiles (cont’d)
Threat Profile InputLikelihood of occurrence
RCMP DatabaseEnvironment Canada DatabaseLocal Crime DatabasesOCIPEP, CSE, FBI, CSI statistics
ISF threats informationThreats information derived from statistics
Threat ProfilesConfidentiality
IntegrityAvailability
AccountabilityPrivacy
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Vulnerability Profiles
Vulnerability Profiles
Vulnerability for Loss of
ConfidentialityIntegrityAvailabilityAccountability (non-repudiation)Privacy
AssetsSorted Vulnerabilities according to the ISM™ asset layers
Vulnerability Profile Creation
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Vulnerability Profiles (cont’d)
Vulnerability Profiles (cont’d)
Vulnerability Profile Input
International DBs NIST-ICAT CERT, CA-CERTOCIPEP, CSE, FBI, CSI, ISF
Sort vulnerabilitiesFunctional (CIA)Asset Layer
VulnerabilityProfiles
ConfidentialityIntegrity
AvailabilityAccountability
Privacy
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
T&V Profiles Mapping with Assets
T&V Profiles Mapping with Assets
Information Asset
RISK LOSS OF INTEGRITY
Integrity Threat Profiles
Integrity VulnerabilityProfile
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Modeled Risk and Security Approach Advantages
Modeled Risk and Security Approach Advantages
Optimized, standardized, structured, repeatable, ready, reliable Risk Assessment (T&V profiles)Controls are standardized (ISO17799/BS7799 & CobiT® based)Qualitative & quantitative as we have relation established for every single point in the visual presentation of the security spaceComplete & responsive modeled security management system Risk Mitigation directly connected with security implementation strategies – Controls applied appropriately!Proper information governance practiceSupport for corporate governance
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Security Strategy Challenges(Information Security Model™
Motives)
Security Strategy Challenges(Information Security Model™
Motives)
Security Strategy Derived From Risk Assessment
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Information Security Model™ Strategy
Information Security Model™ Strategy
Risk analysis – To protect network and to control user access – implement firewall After firewall implementation risk is low – is it?Can we see what have we accomplished with the firewall implementation?CheckPoint Firewall – Requirements
Control access to networksControl access for users
Can we use other security controls?
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Risk & Security Strategy Modeling
Risk & Security Strategy Modeling
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Risk & Security Strategy Modeling
Risk & Security Strategy Modeling
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Risk & Security Strategy Modeling
Risk & Security Strategy Modeling
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
ISM™ Output - Security Strategy
ISM™ Output - Security Strategy
5. Security & Management FrameworkPolicy Compliance Mgmt. (Phase 5)
4. Audit Log ConsolidationIntelligent Mgmt. Engine (Phase 4)
3. Security Management Procedures (Phase 3)
2. Identity Management(Phase 2)
Authentication & Access Control System/DB (Phase 1)
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Advantages of the proposed approach
Advantages of the proposed approach
Quantitative, constant in its application and therefore defensibleProvides a managerial tool necessary for non-technical managers to manage information risk and make appropriate real time decisionsCan be tailored for progressive implementation (a long-term vision to be reached in incremental steps, through early and repetitive wins) Models privacy as one of its componentsInformation risk is part of the corporate governance
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
ISM™ Risk & Security Modeling AdvantagesISM™ Risk & Security Modeling Advantages
An initial risk analysis that can easily be updated and maintained:
Takes care of the complexity of the technology environment automaticallyContinuous Risk Management and Security ManagementCan provide real time information (pending)
Thorough and standardized : looks into all aspects of security (ISO and CobiT®)Adaptive – Tailored to any industry verticalSeamless, simple and visual blueprint for security strategy development.
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
Risk & Security Modeling Summary
Risk & Security Modeling Summary
Successful business level modelingClear findings using Scienton ModelCalculation of compliance to Policies & StandardsCreation of information security and risk management strategy
CIO/CSO can present findings to CEO, CFO & auditorsClear plan with ability to define budget requirementsScienton – The first company in North America to provide BS7799/ISO17799 standard compliance with modelUsed proven T&V profiles, methodology and process
CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003
The Information Risk and Security Modeling The Information Risk and Security Modeling CompanyCompany
SCIENTONSCIENTONTM