Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2008 Verizon. All Rights Reserved. PTEXXXXX XX/08
GLOBAL CAPABILITY.PERSONAL ACCOUNTABILITY.
Chris Mula, CISSP, CISMRegional Manager
March 31st, 2009
Security Management Programs Security Management Programs
2
PROPRIETARY STATEMENT
This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service.
This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon.
The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.
3
SMP GoalsSMP GoalsSetting the Right ExpectationsSetting the Right Expectations
•What are your organization’s goals for SMP?
•What compliance requirements do you address today?
•How is risk and compliance reporting performed withi n your organization?
•What are our goals for your organization?
4
Welcome to SMPWelcome to SMPMeeting AgendaMeeting Agenda
•Our Goal for this Meeting:
To introduce the Security Management Program (SMP) and discuss how SMP can help you meet your compliance needs while managing risk and reducing the risk posture of your organization
•Meeting Agenda:
–What do we know about GRC in an organization?
–Introduction to the Security Management Program
–Case Study: How SMP can help you reduce your risk posture?
–Questions and Answers
6
Organizations are becoming more complex.Organizations are becoming more complex.This introduces some new security challenges.This introduces some new security challenges.
Wider
Deeper
Smarter
Security decisions should be based on risk, not on just threats and vulnerabilities
Security should span the entire IT stack, including the network, data, applications and users
Security controls should span the Extended Enterprise and should be executed where they are most effective and cost-efficient
7
Organizations are attempting to balance G, R, & C.Organizations are attempting to balance G, R, & C.However, the goals are usually the sameHowever, the goals are usually the same
• Business Needs
• Means-focused philosophy
• Risk-focused methodology
• Security spending is required
• Synergistic effectiveness
• Proactive incidents handling
• Essential practice controls
• Legal Needs
• Ends-focused philosophy
• Vulnerability-focused methodology
• Security spending is a cost
• Binary effectiveness
• Passive incident handling
• Best practices controls
1. Meet security compliance needs
2. Improve the security posture by addressing risks
3. Reduce duplicating efforts to save money and use resources efficiently
4. Minimize redundant testing and reuse results from prior audits
5. Protect the reputation of the organization
The Goals
8
……And compliance is not addressing riskAnd compliance is not addressing riskThe awful reality of stagThe awful reality of stag --pliancepliance ..
• Most organizations are focusing on compliance, not risk.
• Compliance spending has and will grow at a rate of 22% each year.
– Out of 217 companies (average revenue of $5 billion), $4.4 million was the average cost to meet just SOX 404 compliance.
• But, compliance spending is not fixing the problems related to weak security
– Most organizations are weak in the following areas:� Partner security� Off-line data� Physical and environmental� Policy enforcement
10 Recent Data Loss Incidents:
– Mary Washington Hospital� Medical information, social security numbers, and other personal
information of 803 exposed on web.– Goodyear
� List of 570 social security numbers stolen from vehicle.– City of Indianapolis
� Social security numbers, names, and dates of birth of about 3,300 posted on public website
– Southwest Mississippi Community College� Names, addresses, and some social security numbers of at least
1,000 posted on internet.– United Kingdom Ministry of Defense
� Disappearance of a computer hard drive which could contain the details of about 100,000 armed forces personnel.
– Deloitte, Network Rail, British Transport Policy, Vodafone� Personal details of at least 100,000 pension scheme members
on stolen laptop.– University of North Dakota
� Stolen laptop contains credit card and social security numbers of 84,554
– West Virginia Department of Administration� Names of social security numbers of 535 on stolen laptop.
– T-Mobile� Lost disk containing data on 17 million customers.
– United Kingdom National Health Service � Personal information on patients on two stolen laptops.
10
The Security Management ProgramThe Security Management ProgramAn introduction.An introduction.
GLBA
ISO-27001
PCISOX
HIPAA
SMP
• Security Management Program is a repeatable program based on the comprehensive Essential Practices which are validated on a continuous and recurring basis.
•Essential Practices Synergistic Security Best Practices Essential Common Controls of various standards (GLBA, ISO-27001, ISO-27002, SOX, PCI, HIPAA).
++==
Essential Practices Fact sheet:
Practical and achievable foundation of effective security:• Inexpensive (re-use the existing environment)• Easy to Install, easy to Manage, easy to Monitor• At least three synergistic controls for each risk• An essential control could be effective against more than one risk
Based on 12+ years of actuarial risk research, continuously updated
Follow synergistic , layered approach to minimize cost
11
The Security Management Program is aThe Security Management Program is a ………continuous security assessment and control validation program.
– comprehensive,– repeatable,– ongoing,– measurable,– risk reducing,– compliance easing,– governance tool,– layered approach.
Aids Governance
• Standardized Program
• Measurable and comparable results
Reduces Risk
•Improves security posture
•Tested methodologies
Demonstrates Compliance
•ISO 27002-based controls
•Alignment mappings to key standards
Security Management Program:
• Available since 1997
• World-Wide
• Hundreds of customers
12
Our Security MethodologyOur Security MethodologyHolistic Approach.Holistic Approach.
Security Breadth
Sec
urity
Dep
th
Physical Security
Application Security
Human Factor Security
Policy Development
Operating System
Network Security
Operational Security
Log & IDS Management
Incident Response
Hardening & Configuration
Knowledge Transfer
Insurance
Certification
Process Management
Alerts & Updates
Wireless Security
Regulatory Compliance
Asset Classification
Risk Metrics
ISP & Hosting
Risk Database
Decision Support
Security Design & Architecture
13
Our Security MethodologyOur Security MethodologyHolistic Approach.Holistic Approach.
Security Breadth
Sec
urity
Dep
th
Physical Security
Application Security
Human Factor Security
Policy Development
Operating System
Network Security
Operational Security
Log & IDS Management
Incident Response
Hardening & Configuration
Knowledge Transfer
Insurance
Certification
Process Management
Alerts & Updates
Wireless Security
Regulatory Compliance
Asset Classification
Risk Metrics
ISP & Hosting
Risk Database
Decision Support
Security Design & Architecture
Essential
14
Our Risk MethodologyOur Risk MethodologyA layered security model in practice. Example: Malware PreventioA layered security model in practice. Example: Malware Preventio n.n.
Data
Systems
Assets
Administrative Human/Policy Technical Application/Service
Technical System/PlatformTechnical Network/Logical
Physical & Environment
Risk Reduction
080%96%99.2%99.84%99.97%Each control works at 80% effectiveness
Essential Practices
Prevent visitors from connecting to the LAN
FW & Port blockingGateway AV
Desktop AVAV Policy & Awareness
15
Security Management Program ActivitiesSecurity Management Program ActivitiesActivitiesActivities & Assessments& Assessments
Web Email
Internal Network
Internet Facing Network
Web Web Email
Internal Perimeter Network
DNS Web
Internet
`
Wireless NetworkModems
`
``
` ``
`
Desktop Network
Internal Critical Network
Active
Directory
File
Server
File
Server
DHCP
Server
Partner and Extranet Connections
External Environment (Internet-facing)>> identify and classify devices that are exposed to the Internet, and collect information to determine:•Known Vulnerabilities•Unnecessary Services•Boundary Malcode Gaps• Aged Software•Unusual Configurations•Gateway (Email) Filter Gaps
Desktop Environment>> gather security and configuration data from desktop machines that are accessing the network to determine:•Antivirus Currency•Screensaver Passwords•Modem Access•Policy Compliance
Wireless Environment>> collect information on the presence of wireless devices and the configuration of those devices
Human/Administrative>> review policies and the implementation of procedures required to meet foundation levels of security
Physical Environment>> include the inspection of the security measures surrounding the physical premises that houses the critical data and infrastructure
Internal (DMZ & LAN) Networks & Extranet Connections>> identify critical DMZ and LAN assets to determine:•Known Vulnerabilities•Historically Vulnerable Software•Unusual Configurations•LAN, perimeter, and modems (war dial)
16
Security Management ProgramSecurity Management ProgramReviews, Interviews & Evidence Collection ParticipantsReviews, Interviews & Evidence Collection Participants
Interviews, Policy, Process & Procedure review and evidence collection with:
• Windows Services Team• Unix Services Team• Mainframe Services Team• Network Services Team• Database Services Team• IT Security Team• Risk Management Team• DRP Team• Application Development Team• Change Control Team• Incident Management Team• Desktop Support Team• Help Desk / Service Management Team• Information Security Team • Information Security Committee• Third Party Management• Procurement Team• Legal Team• Human Resources team• BCP Team• Compliance Team• Physical Security Team• Facilities Team• …
Policy ReviewValidate existence of policy
Procedure ReviewValidate adaptation of policy to procedures
Process ReviewValidate procedures and processes have been
implemented as controls
Technical AssessmentsValidate that implemented controls are effective
17
Security Management ProgramSecurity Management ProgramPercentage of Control Elements by ActivityPercentage of Control Elements by Activity
War Dial1%
E-mail Filter Check1%
Desktop Risk Assessment
2%
Physical Inspection9%
Wireless Assessment
1%
Internal Risk Assessment
2%
External Risk Assessment
2% Policy Review12%
Process & Procedure Validation
70%
More than 90% of the controls, are validated through the Essential Practice review (Policy, Process & Procedure Reviews and Physical Inspections).
Around 10% of the controls are validated through Technical Scans (Internal, External, Wireless Scans, War Dials, Email Filter Checks, Desktop Risk Assessments).
18
We have a flexible content moduleWe have a flexible content moduleTo help our clients balance risk and complianceTo help our clients balance risk and compliance
GRC Content Module
Control 5.1
Control 5.2
Control 6.1
Sub-Control 5.1.1
Sub-Control 5.1.2
Sub-Control 5.1.3
Sub-Control 5.2.1
Sub-Control 5.2.2
Sub-Control 6.1.1
Sub-Control 6.1.2
Sub-Control 6.1.3
Sub-Control 6.1.4
Module is based on ISO-27002 Framework.
Controls define the degree of implementation and are generally scored on a scale. The score is used to quantify synergistic effectiveness.
Sub-controls define the specific compliance requirement. Each requirement has a defined means of validation. The requirement is either met or not met.
The Content is Only a Set of Ingredients
Based on your needs, we will give you the recipe
19
We have a refined risk methodologyWe have a refined risk methodology …………and we have the process and risk intelligence to sup port it.and we have the process and risk intelligence to sup port it.
Scope
Profiling
High-LevelAssessment
Mid-Level Assessment
Detailed Assessment withAsset Discovery
Measure Applicable Conceptsand provide recommendations in order of
effectiveness
Residual Risk = Likelihood of Threat x Synergistic Effectiveness x Business Impact
20
……and, we have precise way to report itand, we have precise way to report itRisk Executive Summary ReportRisk Executive Summary Report
The SMP Risk Reporting allows you to:
• Analyze and demonstrate your risk posture (pre and post assessment), taking into account business impact (based on CIAA rating) across the different asset groups for the 7 main risk categories.
• Maintain historical trending and indicators of your risk posture
• Analyze and demonstrate your risk score across 336 risk scenarios
• Identify the most urgent areas of risk within your organization
• Identify and prioritize mitigating actions and controls.
21
The Security Management ProgramThe Security Management ProgramSMP Controls Set Validation SMP Controls Set Validation ActivitiesActivities
The SMP Control Set addresses risks in 7 main categories:
• Malicious Code• Hacking• Deceit• Misuse• Physical• Error• Environmental
..and across the 4 asset groups:
• Servers & Applications• Off-line Data• Network Devices• End users
The SMP Control set is continuously validated through the means of 9 activities:
• Email Filter Check (bi-annually)• External Risk Assessment (quarterly)• Internal Risk Assessment (bi-annually)• Physical Inspection (annually)• Policy Review (annually)• Process & Procedure Validation (annually)• War Dial Assessment (bi-annually)• Wireless Assessment (bi-annually)• Desktop Risk Assessment (bi-annually)
Security Management Program uses 4 different validation methods:
- Attest – Attestation during interviews- Test – Electronic testing (includes vulnerability assessment, email filter check, telephone assessment)- Inspect – Inspection of documents, physical security controls- Demonstrate – Demonstrate through evidence that a control is compliant
22
Security MethodologySecurity MethodologyISO 27002 ControlsISO 27002 Controls
• Controls that help reduce risk utilizing existing tools and resources
• Aligned with other industry standards
• Risk, focused, not vulnerability focused
• Validated as essential implementations
Risk Equation:Risk Equation:
• Risk = Threat x Vulnerability x Impact on the Assets
Security Management Program MethodologySecurity Management Program Methodology
Delivery MethodologyDelivery Methodology• 1-7 days = kick-off
• 8-90 days = identify, assess, and secure
• 91-180 days = secure and manage
• 181-270 days = identify, assess, secure, and manage
• 271-365 days = secure, manage, and demonstrate
RequiredRequiredWA
RequiredRequiredWDA
OngoingOngoingOngoingOngoingPPV
RequiredPR
RequiredPI
RequiredRequiredIRA
RequiredRequiredRequiredRequiredERA
RequiredRequiredEFC
RequiredRequiredDRA
Quarter 4Quarter 4Quarter 3Quarter 3Quarter 2Quarter 2Quarter 1Quarter 1ActivityActivity
23
The Security Management ProgramThe Security Management ProgramTools and Deliverables.Tools and Deliverables.
• SMP Console (Progress Tracking)
• Activity Reporting (For each of the 9 activities)
• Management Reporting (Quarterly)
• Risk Intelligence Briefings
• Microsoft Patch Tuesday Risk Briefings
• Vulnerability, Malicious Code and Emerging Threat Alerts
• SAFER Team Support (24/7)
24
SMP Dashboard SMP Dashboard –– Online Consolidated FeedbackOnline Consolidated Feedback
• Graphical Views provide immediate, convenient and consolidated access to current compliance status, vulnerability status and risk intelligence.
• Consolidated security and compliance status for all of your SMP sites at the click of a button
• Provides anonymized and aggregated industry comparisons for all the different standards
•Secure access to SMP Deliverable Reports and Alignment Reports
25
CommunicateCommunicate
• As part of the program, you will get a report for every activity:
– Desktop Assessment Report– Email Filter Report
– External Assessment Report
– Internal Assessment Report– Physical Assessment Report
– Policy Review Report
– Process/Procedure Reports– Wardial Reports
– Wireless Assessment Report
• You will also get management reports for every calendar quarter:
– Control Status Report (Executive and Detailed versions)
26
We Incorporated a Proven ModelWe Incorporated a Proven ModelFrom planning, to implementation, to checking, to actingFrom planning, to implementation, to checking, to ac ting
ActMaintain and improve
the information security management system
CheckMonitor and review
the information securitymanagement system
DoImplement and operatethe information security
management system
PlanEstablish an
information securitymanagement system
Your OrganizationYour Organization
Response Support• Expert analysis and support • Guidance from desktop risk assessments• Guidance from email filter checks• Guidance from external risk assessments• Guidance from internal risk assessments• Guidance from physical inspection• Guidance from policy review• Guidance from procedure validation• Guidance from wireless risk assessments• Guidance from war dial risk assessments• Guidance from alerts and risk briefings• Guidance from response team
Initial Risk Assessments (to help with security planning)
• Results of a desktop risk assessment• Results of an email filter check• Results of an external risk assessment• Results of an internal risk assessment• Results of a physical inspection• Results of a policy review• Results of a procedure assessment• Results of a wireless risk assessment• Results of a war dial risk assessment
Ongoing Risk Assessments (to check implementation)• Result from desktop risk assessments• Results from email filter check• Result from external risk assessments• Result from internal risk assessments• Results from physical inspection• Results from policy review• Results from procedure validation• Result from wireless risk assessments• Result from war dial risk assessments
Responsibility Support• Expert analysis and support• Alerts and risk briefings
Awareness Support• Expert analysis and support• Alerts and risk briefings
Advice with Security Designand Implementation• Expert analysis and support• Guidance from policy review
27
In ConclusionIn Conclusion
ActMaintain and improve
the information security management system
CheckMonitor and review
the information securitymanagement system
DoImplement and operatethe information security
management system
PlanEstablish an
information securitymanagement system?
Ask the right questions?
Understand the challenges
Dealing with perceptions
Incorporate a proven model
28
Risk and Compliance ReportingRisk and Compliance Reporting
ControlDefinition
Based onISO27001
Control 1Control 1
Control 2Control 2
Control 3Control 3
Control 4Control 4
Control 5Control 5
Control 6Control 6
Control 7Control 7
Control 8Control 8
Control 9Control 9
Control 10Control 10
Control 11Control 11
Control 12Control 12
- Questionnaires- Network Vulnerability Scans- Application Vulnerability
Scans- On-site Audits- 24 by 7 Monitoring & Management
ControlValidation
ComplianceReporting & Scorecard
RiskReporting & Scorecard
0% 5% 10% 15% 20% 25% 30% 35%
Malcode
Hacking
Fraud
Misuse
Error
Physical
Environmental
Compliance
Percent Breakdown of ARR by Threat Type
Customer’sCompliance
& RiskProfile
PCIPCI
SoXSoX
PerimeterPerimeter
End pointsEnd points
ExtendedEnterpriseExtendedEnterprise
Less thanpeersLess thanpeers
AverageAverage
More thanpeersMore thanpeers
√√
√√
(if applicable)
© 2008 Verizon. All Rights Reserved. PTEXXXXX XX/08
GLOBAL CAPABILITY.PERSONAL ACCOUNTABILITY.
How does SMP help customers reduce risk?How does SMP help customers reduce risk?…… A practical approachA practical approach
30
Security Management Program Case StudySecurity Management Program Case StudyLarge Financial and Insurance GroupLarge Financial and Insurance Group
Top Security Challenges for this Organization:
• Have an overview of the company’s risk posture.
• Have a uniform approach towards security for all the companies of the group
• Measure the security evolution through historical trending (i.e. KPI’s)
• Identify risk zones (geographic, procedural, etc) and prioritize the actions.
• Change from “have control of the situation”to “demonstrate control of the situation”.
How does SMP answer to these challenges:
• Security Management Program Risk and Compliance Scorecards
• Repeatable Program based on the security best practices along with internationally accepted standards (ISO, PCI, SOX, CoBIT)
• Validation of compliance through Quarterly, Bi-Annual and Annual Activities and Reporting
• Security Management Program addresses risk in 7 main categories taking into account the organization’s business impact
• Recurring and repeatable program is able to demonstrate compliance with the different aspects of risk reduction
Organization’s Posture
• 2500+ Retail Banking Offices across Europe• More than 10 million Retail Banking and Insurance Clients
31
Security Management Program Case StudySecurity Management Program Case StudyLarge Financial and Insurance GroupLarge Financial and Insurance Group
Processes (ITIL):• Process & Procedure Review• Coherence with non-IT/IS processes (i.e. HR, Physical, Environmental, Legal).• Comparison with the best practices and internationally accepted standards (ISO 27002)
Certification:• SMP Certification process tracks progress of various business units• Facilitates certain audits (“validate once, comply many” strategy).• Simplified communication (Internal and External – “Certified” acceptance criteria)
The Security Management Program at this Large Financial and Insurance Group
• How does Verizon Business fit into the security and risk management at this organization
Governance:• Different validation levels “trusted”, “semi-trusted”, “untrusted” based on compliance level
Services:• Quarterly Dashboards• Research and Intelligence (latest risks)• Analyst Support• SAFER Team• Active and Recurring Scans