CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003

CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003

Jovan Miladinovic, [email protected]

www.scienton.comISO17799 User Group

www.scienton.com/7799ug/

Data Protection 2003Belgrade, December 2003Data Protection 2003Belgrade, December 2003

Information Risk Modeling



Scienton Differentiator Facts

Scienton Differentiator Facts

Patented Methodologies & TechnologiesInformation Security Model™Trust Model Router™

The first company in the world to Develop and use Information Security Model™ to map governance standards with real life infrastructureUse Information Security Model™ for standard compliance measurement

The first company in North America toBecome an associate consultancy of British Standards Institute

The company to implement governance Basel II, Sarbanes-Oxley, PIPEDA, OSFI, GLBISO17799, CobiT®, ITIL, ISO21827, ISO13335, GASSP


Corporate Governance(Basel II, Sarbanes-Oxley, HIPAA, PIPEDA, GLBA)

Corporate Governance(Basel II, Sarbanes-Oxley, HIPAA, PIPEDA, GLBA)

Mgmt System & Governance ControlsMgmt System & Governance Controls

Scienton Governance &

Information Strategy

Scienton Governance &

Information Strategy

ISO17799(BS7799)

COSO, COCO

Real Life Enterprise Information StructureReal Life Enterprise Information Structure

Information Security Model™(objective, standardized, quantifiable, repeatable risk and audit)

NSAInfosec

Assessment


Dynamic objective risk based Information Governance approach using the Information Security Model™

Practical, achievable, essential practices and policiesReliable, standardized, repeatable and quantifiableDefensible and intrusion responsive systems

Implement security during the business process development to achieve measurable:

Cost effective security implementationCompliance to legislations and standardsLow operation and management costUse security as business advantage and generator

Scienton modeling adequately protects one’s

information

Scienton

Information Governance Approach

Scienton

Information Governance Approach


Corporate Governance(Sarbanes-Oxley, HIPAA, PIPEDA, GLBA, FIPPA)

Governance Standards Translation & ISM™

Position

Governance Standards Translation & ISM™

Position

Information Security Model™

Information Infrastructure


SecurityStrategy

Information Security Modeling

Mgmt. System & Governance Controls

ISO17799 (BS7799)

NSA Infosec Assessment

COSO, COCO


Threat Risk Assessment & Security Strategy Challenges

Information Security Model™ Motives

Threat Risk Assessment & Security Strategy Challenges

Information Security Model™ Motives

Security Strategy & Risk Assessment?

All business management standards ISO*****, CobiT®, NSA, NIST, CC,

CSE & RCMP require Risk Analysis.


Security & Risk Mystified – Difficult to comprehendCompleteness of security implementationNo single, simple and visual model to help implement information risk & securityCorporate governance & IT are not connectedComplex technology & information add to the problemCompleteness of Audit & Risk

Security & Strategy Challenges



Complexity of information risk & security mgmt.No model to measure corporate governanceISO 17799 and CobiT® are disconnected with information infrastructureNo model and tool to maintain the risk & security in constantly changing IT




Risk Analysis & Management Challenge

Risk Analysis & Management Challenge

Costly to perform Not easily repeatableCompleteness – Business & IT goals are not the sameLargely qualitative, subjectiveNot StandardizedNo methodology or a modelIs risk model defensible – TRA mitigation techniques not implemented


Information Security Model


F(ITE,ISC, ISA)





Information Assets per ISM™

Information Assets per ISM™

Information Assets – Information Structure

Automated ISM™ Discovery modulesIntegration with management tools (HP OpenView, Tivoli, Unicenter)

ManualAdding corporate tangible and intangible assets

Audit Information

Automated ISM™ vulnerability and policy audit modulesIntegration with security tools (NetIQ, Tivoli, CA eTrust, BMC Control-SA, Patrol)ISM™ audit against NIST, SANS, CSI best practices

ManualPeople audit, physical audit


Information Asset per ISM™ (cont’d)Information Asset per ISM™ (cont’d)

PhysicalFacilities (building, intruder alarm etc.)Office (contract, SLA, MOU, File Cabinets)

Network (Switch, Router)Systems (W2K, Unix, MVS)Databases (Oracle, Sybase)Applications (ERP, Web)Users (Employees, Contractors, Partners)

Add Asset Value0-1VH, H, M, L$$$$ value


Threat ProfilesThreat Profiles

Threat Profile Loss of

ConfidentialityIntegrityAvailabilityAccountability (non-repudiation)Privacy

Add Impact FactorInformation owner business process valueCorporate image

Threat Profile Creation


Threat Profiles (cont’d)

Threat Profiles (cont’d)

Threat Profile InputLikelihood of occurrence

RCMP DatabaseEnvironment Canada DatabaseLocal Crime DatabasesOCIPEP, CSE, FBI, CSI statistics

ISF threats informationThreats information derived from statistics

Threat ProfilesConfidentiality

IntegrityAvailability

AccountabilityPrivacy


Vulnerability Profiles

Vulnerability Profiles

Vulnerability for Loss of

ConfidentialityIntegrityAvailabilityAccountability (non-repudiation)Privacy

AssetsSorted Vulnerabilities according to the ISM™ asset layers

Vulnerability Profile Creation


Vulnerability Profiles (cont’d)

Vulnerability Profiles (cont’d)

Vulnerability Profile Input

International DBs NIST-ICAT CERT, CA-CERTOCIPEP, CSE, FBI, CSI, ISF

Sort vulnerabilitiesFunctional (CIA)Asset Layer

VulnerabilityProfiles

ConfidentialityIntegrity

AvailabilityAccountability

Privacy


T&V Profiles Mapping with Assets

T&V Profiles Mapping with Assets

Information Asset

RISK LOSS OF INTEGRITY

Integrity Threat Profiles

Integrity VulnerabilityProfile


Modeled Risk and Security Approach Advantages

Modeled Risk and Security Approach Advantages

Optimized, standardized, structured, repeatable, ready, reliable Risk Assessment (T&V profiles)Controls are standardized (ISO17799/BS7799 & CobiT® based)Qualitative & quantitative as we have relation established for every single point in the visual presentation of the security spaceComplete & responsive modeled security management system Risk Mitigation directly connected with security implementation strategies – Controls applied appropriately!Proper information governance practiceSupport for corporate governance


Security Strategy Challenges(Information Security Model™

Motives)

Security Strategy Challenges(Information Security Model™

Motives)

Security Strategy Derived From Risk Assessment


Information Security Model™ Strategy

Information Security Model™ Strategy

Risk analysis – To protect network and to control user access – implement firewall After firewall implementation risk is low – is it?Can we see what have we accomplished with the firewall implementation?CheckPoint Firewall – Requirements

Control access to networksControl access for users

Can we use other security controls?


Risk & Security Strategy Modeling









ISM™ Output - Security Strategy

ISM™ Output - Security Strategy

5. Security & Management FrameworkPolicy Compliance Mgmt. (Phase 5)

4. Audit Log ConsolidationIntelligent Mgmt. Engine (Phase 4)

3. Security Management Procedures (Phase 3)

2. Identity Management(Phase 2)

Authentication & Access Control System/DB (Phase 1)


Advantages of the proposed approach

Advantages of the proposed approach

Quantitative, constant in its application and therefore defensibleProvides a managerial tool necessary for non-technical managers to manage information risk and make appropriate real time decisionsCan be tailored for progressive implementation (a long-term vision to be reached in incremental steps, through early and repetitive wins) Models privacy as one of its componentsInformation risk is part of the corporate governance


ISM™ Risk & Security Modeling AdvantagesISM™ Risk & Security Modeling Advantages

An initial risk analysis that can easily be updated and maintained:

Takes care of the complexity of the technology environment automaticallyContinuous Risk Management and Security ManagementCan provide real time information (pending)

Thorough and standardized : looks into all aspects of security (ISO and CobiT®)Adaptive – Tailored to any industry verticalSeamless, simple and visual blueprint for security strategy development.


Risk & Security Modeling Summary

Risk & Security Modeling Summary

Successful business level modelingClear findings using Scienton ModelCalculation of compliance to Policies & StandardsCreation of information security and risk management strategy

CIO/CSO can present findings to CEO, CFO & auditorsClear plan with ability to define budget requirementsScienton – The first company in North America to provide BS7799/ISO17799 standard compliance with modelUsed proven T&V profiles, methodology and process


The Information Risk and Security Modeling The Information Risk and Security Modeling CompanyCompany

SCIENTONSCIENTONTM

Documents

CONFIDENTIAL - Copyright Scienton Technologies Inc. © 2003