Is information Security less of a risk now?

Is information Security less of a risk now?

In this economic climate business risks have changed.

Has information security risk moved down the Internal Auditor’s priority list?

Risk

Where does information security fit in the business risk universe?

What do businesses think ?3

Top Business Risks• Regulation and compliance• Access to credit• Slow recovery or double-dip recession• Managing talent• Emerging markets• Cost cutting• Non-traditional entrants• Radical greening• Social acceptance risk and CSR• Executing alliance and transactions

Ernst & Young Business Risk Report 2010 4

Where do you see Information Security ?

Top Business Risks• Regulation and compliance• Access to credit• Slow recovery or double-dip recession• Managing talent• Emerging markets• Cost cutting• Non-traditional entrants• Radical greening• Social acceptance risk and CSR• Executing alliance and transactions

Ernst & Young Business Risk Report 2010

Where do you see Information Security ?

Okay

Okay

Okay

5

Business risk Environment

The Drivers :

• Regulatory and Compliance seen as a major risk by Business

• CEOs have seen a significant impact from regulatory change(raised capital levels and liquidity ratios)

Deloitte’s Global Risk Management Survey – Seventh Edition 6

Business risk Environment (2)

The Result:

• IT investment aimed at cost efficiency as well as growth.

• Risk Management incorporated into formal strategic planning processes.

Deloitte’s Global Risk Management Survey – Seventh Edition 7

Internal Audit (IA) trends

• Globalisation• More flexible integrated role for Internal Audit• Greater focus on risk management• Hunt for talent• Technology advances

8PwC ‘Internal Audit 2012’

Controls assurance. Risk based audit planning.

Controls assurance. Evaluation of risk management also.

Outsourcing and offshoring

Recognised by IA and used to help IA

INFORMATION SECURITY VIEW

Image thanks to www.xkcd.org 9

2011 predictions

• Expanded digital domain(Smart phones & tablets)

• Broader scope of information security aided by cost cutting and optimisation in organisations

(VOIP, Customised devices)• Cybercrime – staying ahead of law enforcement• Monitoring at a whole new level• Social Media – Consumer reality and hype

10

More new things – more complexity

Drive for value from security

IT Governance view

• Value creation by IT is important• IT should be proactive• Greater focus on governance• Outsourcing• Cloud computing plans underway• Social Media is not highly prized.

ISACA and IT Governance Institute - 2011 11

Outsourcing

• Not a new activity

• History of business processes and IT applications outsourcing success or otherwise.

19% of CEOs plan to ‘insource’ a business process or function in 2011,compared to 31% of the CEOs surveyed who plan to outsource.

Source PWC 14th Annual CEO Survey. 1212 May 2011

The Cloud

13

Private

Public Community

Hybrid

Grid

ComputingPlatform

Virtualisation Utility

Computing

VM

SaaSPaaS

IaaS

Automatic Security

Management

Cost savingsAgileScalableResilientService oriented

Cloud computing is a new business model, a new way of delivering computing resources

NOT a new technology

Web2.0

Cloud Security Benefits

• Moving public data to the cloud allows you to focus on sensitive data

• Cloud homogeneity makes auditing & testing easier

• Economies of scale• Resource concentration• Enable automated security management• Redundancy / disaster recovery

14

Easier to mind eggs in one basket

Works for security too

Cloud Security Issues

Policy & Organisational

Technical

Legal

and TRUST15

Policy & Organisational

• Going on the cloud to save money

• Passing control to the cloud provider

• Lock-in

16

Simplistic and may blind you to need to manage.

Security responsibility still there:-SLAs should be adequate,-Audit support needed.

Limited support for data and service portability

Technical risks

All the old technical risks, and some...

17

Server side protectionClient side protectionsHypervisor controlsIAMAuthentication controlsIsolation : - Software - Stored dataEncryption andKey management

Technical risks (2)

• Isolation failure

• Protection of more data in transit

• Greater reliance on communications linksSunGuard noted that 25% of DR invocations were due to communications failure !

(UK figures for 2010) 18

O/S Software and dataData persistence / data remnance

Encryption & keys management

Technical risks (3)

19

Example of used Cloud Computing resources to brute force WPA-PSK passphrases.• The idea is not new,• The use of cloud compute resources is !

Legal / Compliance

• Data Protection

• Applicable laws and jurisdiction

• Electronic Discovery

• Compliance

20

Does your cloud provider store your HR data outside the EU?

Intellectual Property protection.If there is a dispute with your cloud provider ...

If there is a dispute with a customer ...

Getting access to audit orgetting evidence of the provider’s compliance

Trust

Is it safe for companies to trust the cloud providers with their data which,

in some cases, can include entire business infrastructure?

21

PERSPECTIVE

Image thanks to www.xkcd.org 22

Cloud Security Problems

Are not new...• The technical issues are tractable• The legal issues will probably be the

hardest (read slowest) to get resolved.• Policy and organisational issues were

encountered before.

23

The cloud provides the opportunity to get them right this time.

Small Player Problems

Approaches

For some it is Hope and pray !

You can’t look under the hood

Maybe not, but there are other options ...

• Risk focus is elsewhere • Rely on the market• Cloud computing risks not attracting much attention.

24

Approach

Look at how offshore / outsource risks

are managed

25

It is said (by many)

You can ultimately outsource responsibility but you cannot outsource accountability !

How do you exercise control ?

26

Preparation

• Understand :• Policies and SLAs in place and your service expectations• Boundaries of responsibility

• Communications including issue resolution• Change management• Security controls (on offer and applied)• Continuity – including your back-out plan

What do you need to gain trust?27

Assurance

• Certification• Audit controls, recoverability controls• Right to Audit • Cloud Provider’s history

• Provider’s approach to data breach/security reporting• Reputation among your peers• Reputation in the blogosphere

SAS70, ISO27001 certification BUT -understand the scope of certification !

Look for the EVIDENCE !28

Final Thoughts• Technology continues its advance• Vulnerability exploits and countermeasures

continue to be developed

• Policy, organisational and compliance issues occur as long as there is human involvement

• There are gaps but the evidence shows these are being addressed.

29

michael@ofassociates.comwww.ofassociates.com

(+353) 87 28 38 667

30

Questions ?