Convergence Iissm 2008 Ab 121108

Security Convergence

November 12 2008 ISSM 2008 Goa India

Physical, Human? and Information

What do we need to secure?

Tangible Wealth - Assets Intangible wealth –

InformationHuman ResourcesWhere?

Physical Space – Premises Cyber Space – IT Resources Thoughts in the Mind?

November 12 2008 ISSM 2008 Goa India 2

04/08/23 3

Why does it need to be secured

Threat vs riskConsequences of

lossLevel of protection


Is there a need for Convergence?

Agenda Traditional Security Divisions

What is convergence Benefits and Challenges Findings of Surveys Evolution of Integrated Enterprise

Risk Management Standards and Best Practices

November 12 2008 IISSM 2008 Goa India

Traditional Security Concerns

Physical Security

Personnel Security

Communication Security


Major Threats

Sabotage Subversion Espionage Terrorist attack Mob violence Pilferage


Sabotage Precautions

Access Control

Check fire fighting aids

Bomb fire mock drill

Decoy drills

Patrolling of Premises

Sensitization


Subversion Precautions

Vetting

Re-verification

Sensitization

Watch on potential targets

Sudden wealth


Espionage Precautions

Vetting

Communication Security

Watch potential targets

Liaison with Intelligence agencies

Sensitization


Terrorist Attack

Sneak entry

Suicide attack

Missile attack

Sabotage

Cyber terrorism


Mob Violence

Security protection scheme

Police to secure area

Restrict entry

Strict access control

Placate agitators

Activate leaders to mediate


PILFERAGE

Access control Checking Accounting Patrolling Random checks Consumption pattern


Theft of wealth for benefit Tangible – assets Intangible Information

To help steal assets To help Compete against

Destroy without material gain Terrorism both tangible and

intangible wealth


Threat Categories

Threat Categories

System Failures Negligence

Carelessness and Complacency Accidents Natural Hazards

04/08/23 15

Intelligence

&

Advance

warning

Threats

Analysis

&

Security

System

Analysis

Physical

Security

Communication

Information & IT

Security

Personnel

&

HRD Security

Guards

Investigation

Fire &

Disaster

Protection

Fail Safe/

Fail Soft & Event

Logging

INTERELATED SECURITY FUCTIONS

Traditional Approaches


Insulated Departments Silos Unnecessary need to know

policy Need to know or ‘better not

know’ Inadequate sharing of

Information Specialisation

Convergence

Convergence of historically disparate security functions Convergence is so endorsed by

the three leading international organizations for security professionals --


Convergence

Integration enables an organization to establish and manage a single, consolidated repository for all authentication credentials, and to have a centralized means of setting access privileges for both physical and logical resources.


Convergence

This identity-based convergence makes it possible for organizations to have: One identity-based system for

managing all physical and logical access; A unified network policy for both

network and remote access that leverages card status and location information from physical access systems; Exchange of events and alarms from

the physical access system to the logical access system;


Convergence

An identity-based reporting system for use in forensic investigations; and

A streamlined workflow for creating, deleting and modifying user identities from both systems simultaneously.

Balanced and Mandatory Information Exchange


Enabler for Convergence

Open Security Exchange ... Not for Profit association

Defines convergence as the migration of physical and IT security towards

common objectives, processes and architectures.

Enable vendor-neutral interoperability among diverse security components to support overall enterprise risk management needs.


Benefits of Convergence Stronger, more integrated security Greater overall control Affordable dual factor authentication Coordinated responses to problems or

emergency situations Regulatory compliance .. US? A solution to tailgating A deterrent to ‘we were never told’

All of these benefits – plus the better protection, cost savings, risk reduction, and increased compliance associated with them – make converged physical and logical security a worthwhile goalNovember 12 2008 IISSM 2008 Goa India

Requirements of Convergence

Approach security from a holistic view; Offer fine-grained, zone-based

logical access coupled to a user’s badge status and location; Leverage existing security

investments; Enforce both physical and logical

security policies;


Requirements of Convergence

Have monitoring and reporting capabilities in order to demonstrate compliance with acts applicable Be cost-effective for companies of

all types and sizes; Be easy to deploy; and Deliver a measurable return on

investment.


Challenges

Conventional attitudes

Need for knowledge beyond traditional security domain Non security benefits of security systems

resource questions Diverse usage patterns realistic

estimation Judicious balance of High technology and

the rest Inadequate common recording standards


Findings of Surveys 0n Convergence

Annual Global Information Security Survey 2007

“We have realized that the focus and drivers of information security may change over the years, but the need to protect information assets remains virtually important to businesses globally. Organizations are beginning to recognize that information security can deliver more than just protection for information.”



Though Converged security is emerging there is a greater need for interaction between IT and General management Thus Alignment of IT and Business

objectives needs greater attention Thus IT Governance principles on the lines

og COBIT and ITIL need to be established


Evolution of Integrated Enterprise Risk Management

The Alliance for Enterprise Security Risk Management (AESRM) - Convergent Security Risks in Physical Security Systems and IT Infrastructures Created in late 2004/early 2005 Partners:

–ASIS International– Information Systems Security Association

(ISSA)– ISACA

Combined worldwide membership in excess of 90,000







04/08/23 40

04/08/23 41

Standards and Best Practices

BS 25999-1:2006: Business Continuity Management Code of Practice (management system for disaster recovery and business continuity)

- BS 7799-3:2006: Guidelines for Information Security Risk Management (management system approach for the assessment and treatment of risk)

-ISO/PAS 28000: Specification for Security Management Systems for the Supply Chain (management system specification for physical security)



ISO 22000: Food Safety Management Systems - Requirements for Any Organization in the Food Chain management (system for preventing the introduction of food safety hazards) -OHSAS 18001: Occupational Health and Safety

Management (specification for health and safety management systems)



Three specific practices and standards that are becoming widely adopted around the world. • ITIL V3—Published by the UK government to provide a best practice framework for IT service management• CobiT 4.1—Published by ITGI and positioned as a high- level governance and control framework• ISO/IEC 27002:2005—Published by the International

Organization for Standardization (ISO) and International Electro technical Commission (IEC) and derived from the UK government’s BS 7799, renamed ISO/IEC 17799:2005, to provide a framework of a standard for information security management


Thank You

Questions and discussions


Documents

Convergence Iissm 2008 Ab 121108