Information Security Information Security ManagementManagement

David BoylesDavid BoylesCxO Technology AdvisorCxO Technology Advisor

MicrosoftMicrosoft Australia & New ZealandAustralia & New Zealand

Why is information Security so Why is information Security so Important?Important?

Market TrendsMarket Trends

Board/CxO DriversBoard/CxO Drivers

Organisational DiagnosticOrganisational Diagnostic

Key PrinciplesKey Principles

Structured ApproachStructured Approach

Build for StrengthBuild for Strength

Manage AccessManage Access

Test & MonitorTest & Monitor

Final Thoughts & Some ResourcesFinal Thoughts & Some Resources

Information Security ManagementInformation Security Management

Trend: Explicit Fiduciary DutiesTrend: Explicit Fiduciary Duties

Consumer ProtectionConsumer Protection, Privacy (Privacy , Privacy (Privacy Act 1988, Trade Practices Act, FSRA)Act 1988, Trade Practices Act, FSRA)

Newly legislated director and officer Newly legislated director and officer responsibilities for responsibilities for internal control, internal control, integrity of financials and accuracyintegrity of financials and accuracy of of disclosures (Clerp9, Sarbannes-Oxley)disclosures (Clerp9, Sarbannes-Oxley)

Increased Increased external auditexternal audit scrutiny scrutiny

Director and officer responsibilities for Director and officer responsibilities for risk managementrisk management, including BCP/DRP, including BCP/DRP

Trend: Market CapitalisationTrend: Market Capitalisation

The market capitalisation of most companies is The market capitalisation of most companies is typically ¼ tangible (on balance sheet) and ¾ typically ¼ tangible (on balance sheet) and ¾ intangible.intangible. Physical assets may have driven corporate Physical assets may have driven corporate market value decades ago, but no longer. market value decades ago, but no longer. Organisations with competitive capabilities based on Organisations with competitive capabilities based on hard to replicate intangibles are rewarded with greater hard to replicate intangibles are rewarded with greater market value. Intangible assets usually consist of market value. Intangible assets usually consist of repeatable processes, data stores, people, and repeatable processes, data stores, people, and intellectual property. Repeatable processes are intellectual property. Repeatable processes are frequently software running on IT infrastructure. Data frequently software running on IT infrastructure. Data stores can be anywhere in the company, but usually are stores can be anywhere in the company, but usually are managed within IT.managed within IT.

Question: Why don’t most companies track intangibles Question: Why don’t most companies track intangibles with the same level of rigour they track tangibles (eg with the same level of rigour they track tangibles (eg trucks, buildings, chairs, desks, etc)?trucks, buildings, chairs, desks, etc)?

Trend: Business Process AutomationTrend: Business Process Automation

End user sales/service continues to shift from End user sales/service continues to shift from people to fully automated channels (IT).people to fully automated channels (IT). There may There may have been a dotcom crash, but the trends are now have been a dotcom crash, but the trends are now plain to see – more and more business is conducted plain to see – more and more business is conducted over fully automated channels. Many banks, for over fully automated channels. Many banks, for instance, would be at or above 75% of all customer instance, would be at or above 75% of all customer transactions totally automated. My guess is that Dell transactions totally automated. My guess is that Dell is 90%+.is 90%+.

Question: Are organisations paying attention to this Question: Are organisations paying attention to this trend and building systems that have the robustness trend and building systems that have the robustness needed?needed?

Assets.Assets. Intangibles such as customer data and repeatable Intangibles such as customer data and repeatable processes must be protected from internal and external processes must be protected from internal and external threats. What would happen if your primary customer threats. What would happen if your primary customer databases were to be irretrievably corrupted? Or stolen? Or databases were to be irretrievably corrupted? Or stolen? Or lost?lost?Business Survival.Business Survival. Every organisation (and in particular Every organisation (and in particular public companies) must be able to handle the unusual public companies) must be able to handle the unusual event (eg extreme volumes of work) or an actual disaster event (eg extreme volumes of work) or an actual disaster (loss of data centre or HQ building). Lack of planning and (loss of data centre or HQ building). Lack of planning and testing of these capabilities can lead to a complete testing of these capabilities can lead to a complete business failure.business failure. Contractual Obligations.Contractual Obligations. Most contracts stipulate Most contracts stipulate conditions for use of information obtained from the conditions for use of information obtained from the contracted party (consumer, government, business).contracted party (consumer, government, business).Legal & Regulatory Compliance.Legal & Regulatory Compliance. The web of The web of obligations from state and national governments continues obligations from state and national governments continues to build in size and complexity: Consumer privacy, to build in size and complexity: Consumer privacy, accuracy of publicly reported information, etc.accuracy of publicly reported information, etc.Conclusion:Conclusion: Information Security is a business issue, not Information Security is a business issue, not just an IT issue.just an IT issue.

Board/CxO DriversBoard/CxO Drivers

Organisational DiagnosticOrganisational Diagnostic

1. The business goals and drivers for information security are clearly understood by Board members, executive management and throughout the organisation.

2. Information security is considered a “business problem” here.

3. We have taken a structured, comprehensive approach to implementing information security management, based on ISO 17799.

4. Our key corporate assets, processes and obligations have been identified and appropriately protected from ongoing and event related threats.

5. We use a rigorous model to assess the probability and severity of information security threats.

6. This model (#5) is also used to prioritise our mitigation efforts.

7. We have a clearly identified information security manager and a governing body that meets regularly.

8. We have had no significant security failures that produced customer impacts or financial loss.

9. We do not have any recurring Audit issues in this arena.

10. The Board and Management are confident that we can survive unusual events and/or disasters, such as the loss of our data centre or HQ building.

Disagree AgreeSomewhatAgree

51 2 3 4

© 2005 Microsoft & Infosys

51 2 3 4

51 2 3 4

51 2 3 4

51 2 3 4

51 2 3 4

51 2 3 4

51 2 3 4

51 2 3 4

51 2 3 4

Business Issue:Business Issue: Get CEO/Board level Get CEO/Board level agreement that this is a business issue that agreement that this is a business issue that requires business governance and business requires business governance and business fundingfunding

Identify: Identify: Key Assets, Critical Processes & Key Assets, Critical Processes & Operations, Regulatory requirements, and Operations, Regulatory requirements, and Legal/Contractual ObligationsLegal/Contractual Obligations

Be Rigorous:Be Rigorous: Use a proven, thorough model Use a proven, thorough model to assess to assess ongoingongoing or or event relatedevent related risks: risks:

Probability of occurrenceProbability of occurrence

Severity of occurrenceSeverity of occurrence

Be Commercial:Be Commercial:Prevent occurrence where commercially feasiblePrevent occurrence where commercially feasible

Develop good incident management practices Develop good incident management practices where prevention is uneconomical: “Stuff where prevention is uneconomical: “Stuff happens”happens”

Key PrinciplesKey Principles

Obtain ISO17799/AS7799 baseline Obtain ISO17799/AS7799 baseline assessment, preferably from an outside assessment, preferably from an outside expertexpertStudy & understand assessment resultsStudy & understand assessment resultsGet buy-in & commitment with MD & BoardGet buy-in & commitment with MD & BoardEstablish leadership, governance, Establish leadership, governance, organisation, budgetorganisation, budgetSet clear priorities, goals & outcomesSet clear priorities, goals & outcomesBuild an implementation roadmap including Build an implementation roadmap including accountabilities, milestones, measurable accountabilities, milestones, measurable outcomesoutcomesBegin the journeyBegin the journeyUse Internal Audit to periodically monitor Use Internal Audit to periodically monitor progressprogressPerform a comprehensive 7799 assessment Perform a comprehensive 7799 assessment every 1-2 yearsevery 1-2 years

Structured ApproachStructured Approach

Good Practice ModelGood Practice Model

• Perform an ISO 17799 Baseline Assessment

• ISO 17799 is internationally recognized as the standard for Information Security

• Many free or near free tools, policies and processes are available for use

Understand Threats, Organise & Plan

Review Findings

Mitigate Threats

AssessMonitor,

Test, Review

Organise & Plan

Act

• Get Buy-in & commitment

• Governance organisation must be set up

• Develop threats & impacts matrix

• Set Goals & Priorities based in probability vs impact matrix

• Build action Roadmap

• Begin the journey

• Implement ongoing structures & activities

• Inventory information assets

• Kick off needed remediation projects

• Report regularly to Risk Committee

• Audit Internal Progress Periodically, usually on a six month cycle

• Perform a Complete ISO 17799 Assessment within one to two years

• Cycle back through this process

• The basseline assessment provides a clear view of needed info security improvements

• Management should provide an executive summary of weaknesses

• Finally, a conceptual plan should be designed for remediation © 2005 Microsoft & Infosys

Strong security is purpose built & Strong security is purpose built & requires:requires:

Business process architecture & Business process architecture & standardsstandards

IT architecture & standardsIT architecture & standards

Explicit and enforced info security Explicit and enforced info security architecture standardsarchitecture standards

Rationalised, robust infrastructureRationalised, robust infrastructure

Real time monitoringReal time monitoring

Result: Defence in depth (passive Result: Defence in depth (passive and active)and active)

Build for StrengthBuild for Strength

Internal staff are still the primary source of Internal staff are still the primary source of harmful impacts harmful impacts via deliberate action via deliberate action (malicious) or deliberate inaction (eg (malicious) or deliberate inaction (eg failure to confiqure ports on servers or to failure to confiqure ports on servers or to back up data). back up data).

You should question and act on:You should question and act on:

Administrators: How many? What Administrators: How many? What privileges? Why?privileges? Why?

Physical security (inc. buildings & Physical security (inc. buildings & hardware - but also question how hardware - but also question how backups are handled, how data is backups are handled, how data is provided to marketing firms, etc.)provided to marketing firms, etc.)

Outdated IDs & passwordsOutdated IDs & passwords

Weak password/ID solutions vs two Weak password/ID solutions vs two factor solutionsfactor solutions

Legacy system weaknesses (eg, call Legacy system weaknesses (eg, call centre rep sign-on equals access to all centre rep sign-on equals access to all customer information)customer information)

Manage AccessManage Access

Test your defences frequently:Test your defences frequently:Paid hackersPaid hackers

Key management & encryption Key management & encryption processesprocesses

Business Continuity PlansBusiness Continuity Plans

Disaster Recovery PlansDisaster Recovery Plans

Physical securityPhysical security

"Real time" monitor all boxes & "Real time" monitor all boxes & applicationsapplications

Actively Test & MonitorActively Test & Monitor

Stay Very, Very ConcernedStay Very, Very Concerned

Let’s assume your organisation already has a Let’s assume your organisation already has a good program in place. What should keep good program in place. What should keep you awake at night?you awake at night?

Real business ownershipReal business ownership (leadership, (leadership, accountability, budget, training & awareness, accountability, budget, training & awareness, compliance with policies & standards)compliance with policies & standards)Legacy applicationsLegacy applications (esp. sign on=full access to (esp. sign on=full access to customer details)customer details)Access management Access management (esp. unpurged IDs & (esp. unpurged IDs & passwords)passwords)Configuration managementConfiguration managementUn-encrypted customer infoUn-encrypted customer info (credit card details?) (credit card details?) Administrative privilegesAdministrative privilegesPhysical securityPhysical security

Final ThoughtsFinal Thoughts

Consider PartneringConsider PartneringReal Info Sec expertsReal Info Sec experts are rare are rareMost market offerings are “slices of the Most market offerings are “slices of the pie”, not structured, complete solutions. pie”, not structured, complete solutions. Means you must orchestrate total Means you must orchestrate total solutions.solutions.

Primary sources of help include:Primary sources of help include:Large IT companiesLarge IT companiesSpecialist info security companiesSpecialist info security companiesConsulting firmsConsulting firms

Don’t ignore the substantial amount Don’t ignore the substantial amount of free resource available (based on of free resource available (based on ISO 17799)ISO 17799)

Some ResourcesSome Resources

www.microsoft.com.au/security (free information, tools, www.microsoft.com.au/security (free information, tools, policies and best practice guides)policies and best practice guides)www.sans.orgwww.sans.org (training, free assessment tool) (training, free assessment tool)ist.socrates.berkeley.edu:2002/pols.htmist.socrates.berkeley.edu:2002/pols.htm (policies)(policies)irm.cit.nih.gov/security/sec_policy.htmlirm.cit.nih.gov/security/sec_policy.html (policies)(policies)www.sans.org/resources/policies (sample www.sans.org/resources/policies (sample policies)policies)www.auscert.org (bulletins, training, www.auscert.org (bulletins, training, publications) publications) www.cert.org (advisories, statistics, www.cert.org (advisories, statistics, publications)publications)www.iso17799-made-easy.com (toolkit)www.iso17799-made-easy.com (toolkit)www.iso-17799.com (tools, FAQs, etc)www.iso-17799.com (tools, FAQs, etc)www.bridgepoint.com.au (free www.bridgepoint.com.au (free ISO17799/AS7799 assessment tool)ISO17799/AS7799 assessment tool)

Thanks, Any Questions?Thanks, Any Questions?

Note: The opinions expressed herein are my own, based on experience in the CIO/COO role, information provided by CIO colleagues, and publicly available fact-based research. Organisational Diagnostic slide and Good Practice Model slide are courtesy of Microsoft and Infosys – part of a soon to be published “Guide to Getting Business Value from IT”

David BoylesExecutive Technology AdvisorMicrosoft CorporationV-dboyl@microsoft.com

CxO Technology Advisory Pty Ltddlboyles@bigpond.net.au