View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Security Governance
Technology Executive Club
Patti Suarez, CISSP
Global Information Security Manager
Wm. Wrigley Jr. Company
About the presenterPatti Suarez
Global Information Security Manager for Wm. Wrigley Jr. Company
15 years of experience in information security With financial services, health care and telecommunications industries
Certified Information System Security Specialist
Graduate of Roosevelt University, B.S. Telcom
Objectives for today’s presentation
Wrigley’s Global Information Security Model
Informative
What are the drivers for Information Security at Wrigley?
Explain how Wrigley’s Information Security foundation is standards based
Recent Threat statistics
The Time for Information Security is Now
External Drivers• Changing customer structures
• E-commerce opportunities
• Changing market expectations
• Technology Development
Internal Drivers• Desire to meet changing customer needs and increase speed-to- market
• Need for global information sharing
Information Security is not just technology
Wrigley’s Security Program:
An integrated approach to selecting and deploying tools, operational processes and organizational roles.
Regulations have placed the final accountability for securing corporate and customer information on the shoulders of the Board of Directors.
Gramm-Leach-Bliley
HIPAA
EU Privacy
Duty to Disclose Security Breach – CA
COPPA (Childrens’ Online Privacy Protection Act)
Sarbannes Oxley Act
Federal Information Security Management Act
Information Security is not just technology
Everyone in Wrigley needs to have a basic understanding of information security requirements.
Specific responsibilities across the organization need to be clear.
The Threats Are Real
Security breaches occur at 85% of U.S. businesses and government organizations. (Mar 13,2001)
More than 7,000 viruses detected this year (Dec 12,2002)Three percent of online sales will be lost because of credit card fraud. (Dec 05,2002)Internet attacks against public and private organizations jumped 28 percent from January to June 2002.
(Oct 24,2002)
Roughly 180,000 Internet-based attacks hit U.S. businesses in first half of 2002. (Jul 09,2002)Reports on inside security breaches up 7 percentage points
over 2000. (Oct 16,2001)
Source: CSO Magazine
Wrigley’s Information Security Mission
The Global IT Security mission is to provide information security leadership, direction and guidance through mutual understanding of business enablers and tolerance of risk. We will accomplish this by implementing industry standards in the areas of perimeter defense, risk mitigation, policy creation, education, awareness, monitoring and response to security events. Through security best practices we will ensure the confidentiality, availability, and integrity of our systems and data in the areas of people, technology and process.
Information Security drives value into Wrigley’s Initiatives
Physical/Logical Access Controls
Security Program
Trusted Computing
Brings value to business relationships
Protects Brand
Increases
Shareholder
Value
Wrigley’s Information Security ProgramBased On International Standards
ISO 17799 internationally recognized information security standard.
Facilitates trading in a trusted environment.
Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce.
A comprehensive set of controls comprising best practices in information security.
Architecture
Operations
GovernancePrevention
Detection
Verification
Response
LAYERS
Tools Process Roles
EL
EM
EN
TS
Wrigley’s Information Security Model
Information Security Program Elements
Governance: Defining and overseeing the program
Security policy, standards and guidelines
Organizational roles and responsibilities
Assessment of and security plans to control risk
Metrics and processes to determine how well the organization is adhering to information security policies, processes, procedures, guidelines
Access controls - - who has access to sensitive systems and data
Security awareness programs
ISO 17799 BENCHMARKING INTHE AREA OF
ORGANIZATIONAL SECURITY
Has a forum been established to oversee and represent information security?
Has a process been established to coordinate implementation of information security measures?Has a management approval process been established to authorize new IT facilities from both a business and technical standpoint?Has a capability been established that provides specialized information security advice?
Is there a liaison with external information security personnel and organizations including industry and/or government security specialists; law enforcement authorities; IT service providers; telecommunications authorities?
Are responsibilities for accomplishment of information security requirements clearly defined?
ISO 17799 BENCHMARKING INTHE AREA OF
ORGANIZATIONAL SECURITYContinued
Has an independent review of information security practices been conducted to ensure feasibility, effectiveness, and compliance with written policies?Have third party connection risks been analyzed?Have specific security measures been identified to combat third
party connection risks?
Are security requirements included in formal third party contracts?
Have the security requirements of the information owners been addressed in a contract between the owners and the outsource
organization?
Information Security Program Elements
Operations: Administering and enforcing
Information Security policies and access controls
Controls for physical/logical access to information assets
Processes and procedures to minimize the likelihood of disruptions, recover from disasters, and respond to security incidents
Information Security Program Elements
Architecture: Designing and implementing
Development methodology for secure information systems
Systems and controls that limit the risk of unauthorized access to business assets
Information Security Layers
Across the enterprise there should be layers of protection to ensure that the risks are managed effectively. Each security layer supports the next to minimize the probability of security problems and minimize the exposure Wrigley faces when incidents do occur.
Prevention: Protecting information through effective use of technology, processes and organizational responsibilities to limit the potential of a threat being realized.
Detection: Manual and automated mechanisms to identify and isolate security problems. This includes active and passive monitors and analytical procedures.
Information Security Layers
Continued
Verification: Manual and automated mechanisms to ensure that required security measures are in place. This can take forms including vulnerability assessments, audit and monitoring tools.
Response: When prevention measures fail, Wrigley needs a rapid, pragmatic response capability. This requires planning for containment, triage and direct response.
Information Security Fronts
Information Security is not just a technology problem. There is no “silver bullet” to make a dramatic improvement in the security posture of Wrigley. The posture depends on developing, enforcing and maintaining safe computing practices on the unified fronts of Tools, Processes and Roles.
Tools: Protecting information through effective use of technology (e.g. firewalls, authentication and authorization mechanisms) that result in reusable solutions to business risk scenarios.
Processes: Establishing repeatable solutions or compensating controls for business risks, ensuring that they are measured regularly, and periodically aligning business and information security goals.
Roles: Creating the roles that ensure clear responsibilities and accountability in business units, Information Security organization, suppliers and business partners. Eliminating gaps and reducing overlaps to ensure that requirements are met.
Wrigley’s Security ProgramIn Perspective
Information Security Vision and Strategy
Information Security Management
Senio
r M
anagem
ent
Com
mit
ment
Tra
inin
g a
nd A
ware
ness
Business Initiatives Threats
Enterprise Architecture
StrategyVulnerability & Risk
AssessmentSecurity Policy
Security Architecture and Technical Standards
Administrative and End-User Guidelines and Procedures
Enforcement
Process
Monitoring
Process
Recovery
Process
Legislation
Information Security drives value into Wrigley’s Initiatives
Physical/Logical Access Controls
Security Program
Trusted Computing
Brings value to business relationships
Protects Brand
Increases
Shareholder
Value