1 it security and privacy group six nick fieseler joe fitzgerald cari wegge josh woodworth is 6800,...
TRANSCRIPT
1
IT Security and PrivacyIT Security and Privacy
Group SixGroup SixNick FieselerNick FieselerJoe FitzgeraldJoe FitzgeraldCari WeggeCari Wegge
Josh WoodworthJosh Woodworth
IS 6800, Winter 2006IS 6800, Winter 2006Dr. Mary Lacity, ProfessorDr. Mary Lacity, Professor
2
9/119/11 Since the 9/11 terrorist attacks, Since the 9/11 terrorist attacks,
the United States’ business the United States’ business assets and infrastructure are key assets and infrastructure are key targets and maybe even avenues targets and maybe even avenues for future attacks.for future attacks.
Attacks through the Internet Attacks through the Internet increased by 28% in the six increased by 28% in the six months after 9/11.months after 9/11.
Other information security (IS) Other information security (IS) risks include natural disasters, risks include natural disasters, which can destroy facilities and which can destroy facilities and critical documents. critical documents.
Disaster recovery has become a Disaster recovery has become a $6 billion industry since 2001.$6 billion industry since 2001.Lally, L. “Information Technology as a Target and Shield in the Post 9/11
Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp. 14-28.
http://www.TechNews.com, viewed on March 27, 2006.
3
Post- 9/11 IT securityPost- 9/11 IT security Theft of trade secrets and Theft of trade secrets and
information loss due to information loss due to computer malfunctions can computer malfunctions can cause businesses to lose cause businesses to lose their competitive their competitive advantages. advantages.
The 2004 CGUFBI The 2004 CGUFBI Computer Crime and Computer Crime and Security Survey reported Security Survey reported that computer security that computer security breaches caused breaches caused $141,496,560 in total U.S. $141,496,560 in total U.S. losses . losses . Lally, L. “Information Technology as a Target and Shield in the Post 9/11
Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp. 14-28.
4
Post- 9/11 IT SecurityPost- 9/11 IT Security Preparation, Preparation,
prevention, and prevention, and recovery are now recovery are now crucial practices for crucial practices for businesses using IT.businesses using IT.
Security and privacy Security and privacy is the third top is the third top management concern.management concern.
Security technologies Security technologies is one of the top six is one of the top six application and application and technology technology developments.developments.
Luftman, J., and McLean, E., "Key Issues for IS Executives," MIS Quarterly Executive, Vol. 4, 2, 2005, pp. 269- 286.
5
ObjectivesObjectives
Overview of IT Security and Overview of IT Security and PrivacyPrivacy
Case Study: Home Decorators Case Study: Home Decorators Case Study: Express ScriptsCase Study: Express Scripts Comparisons and SimilaritiesComparisons and Similarities Best PracticesBest Practices ConclusionConclusion
6
IT Security importanceIT Security importance According to a report released by the Government According to a report released by the Government
Accountability Office in late December 2005, the SEC Accountability Office in late December 2005, the SEC has corrected or mitigated only eight of 51 has corrected or mitigated only eight of 51 weaknesses cited last year.weaknesses cited last year.
The report said that efforts to improve FBI IT The report said that efforts to improve FBI IT capabilities have failed so far.capabilities have failed so far.
In 9/11 report recommendations from October 2005, In 9/11 report recommendations from October 2005, President Bush was asked to lead a government-wide President Bush was asked to lead a government-wide effort to improve IT in major national security effort to improve IT in major national security institutions. institutions.
As systems get more complex, they also become less As systems get more complex, they also become less secure. secure.
Security technologies are not improving quickly Security technologies are not improving quickly enough for business.enough for business.
Lally, L. “Information Technology as a Target and Shield in the Post 9/11 Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp. 14-28.Schneier, Bruce. Secrets & Lies: Digital Security in a Networked World, Wiley Publishing, Indianapolis, 2004.
7
Planning for SecurityPlanning for Security
PoliciesPolicies Never Contradict Law – Never Contradict Law –
Enron/Andersen ConsultingEnron/Andersen Consulting Quality Security Programs Quality Security Programs
begin and end with policybegin and end with policy Least expensive but most Least expensive but most
difficult to implement difficult to implement properlyproperly
IT Security is 75% people IT Security is 75% people and 25% technologyand 25% technology
Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
8
IT Security ApproachesIT Security Approaches Bottom-Up ApproachBottom-Up Approach
Advantage: Technical Expertise of Advantage: Technical Expertise of Grassroots UsersGrassroots Users
Disadvantage: Seldom works, very little Disadvantage: Seldom works, very little organizational staying powerorganizational staying power
Top-Down ApproachTop-Down Approach Advantage: Starts at top and can flow down Advantage: Starts at top and can flow down
to all belowto all below ChampionChampion
CIO, VP-IT must gain executive buy-inCIO, VP-IT must gain executive buy-in Adopted and Promoted by Upper Adopted and Promoted by Upper
ManagementManagementWhitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
9
FLOW of IT processesFLOW of IT processes With executives and CIO down to usersWith executives and CIO down to users
http://www.icann.org/general/staff-organization-chart-22may03.gif
10
Systems RiskSystems Risk
““The likelihood The likelihood that the firm's that the firm's information information systems are systems are insufficiently insufficiently protected protected against certain against certain kinds of damage kinds of damage or loss.or loss. “ “
Straub, D.W., Welke, R.J. “Coping with systems risk: Security planning models for management decision making”, MIS Quarterly, Vol. 22, 4; December 1998, pg. 441.
11
Risk ManagementRisk Management
Risk Management
Risk IdentificationRisk Control
Risk Assessment
Inventorying Assets
Classifying Assets
Identifying Threats and Vulnerabilities
Selecting Strategy
Justifying Controls
Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
12
three Levels of IT Security three Levels of IT Security PoliciesPolicies
EISP
ISSP
SysSPWhitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
13
Enterprise Information Enterprise Information Security Policy (EISP)Security Policy (EISP)
EISP Directly EISP Directly supports:supports: Organizational Organizational
MissionMission Executive/Executive/
Management VisionManagement Vision Organizational Organizational
Strategic DirectionStrategic DirectionWhitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
14
Issue-Specific-Security Issue-Specific-Security Policy (ISSP)Policy (ISSP)
Addresses specific areas of Addresses specific areas of technologytechnology E-mailE-mail Internet UsageInternet Usage Minimum Anti-Virus ProtectionMinimum Anti-Virus Protection
Requires frequent updates (this can Requires frequent updates (this can be related directly to companies)be related directly to companies)
Contains statement on organization’s Contains statement on organization’s position on a specific issueposition on a specific issue
Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
15
Systems-Specific Policy Systems-Specific Policy (SysSP)(SysSP)
Codified as Standards Codified as Standards and Procedures to be and Procedures to be used when used when configuring and configuring and maintaining systemsmaintaining systems
Two Main GroupsTwo Main Groups Access Control Access Control
Lists (ACLs)Lists (ACLs) Configuration RulesConfiguration Rules
Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.
16
ACL PoliciesACL Policies
Restricts AccessRestricts Access Who: Who:
Username/PasswordUsername/Password What: Rights Users What: Rights Users
Have in SystemHave in System When: Users Can When: Users Can
Have AccessHave Access Where: Users Can Where: Users Can
Gain AccessGain Access
17
Case Study: Knights Direct Case Study: Knights Direct Catalog GroupCatalog Group
?? What is Knights Direct? What is Knights Direct?
18
Company OverviewCompany Overview
About 300 million in About 300 million in combined salescombined sales
Home Decorators Home Decorators started in 1991, Soft started in 1991, Soft Surroundings in 1999Surroundings in 1999
Headquarters in Headquarters in Hazelwood, MOHazelwood, MO
1,200 employees1,200 employees
19
President
Director of IT Other Directors
Manager of Development Manager of Tech Services
Security Administrator 4 other system & networkadministrators
Company Organizational Chart
20
IT BackgroundIT Background
30 employees30 employees
IT budget is 1.5% of IT budget is 1.5% of annual sales annual sales
(in 2005, 4.5 million)(in 2005, 4.5 million)
5 manager types, 15 5 manager types, 15 developers, developers,
3 technicians, 7 3 technicians, 7 administratorsadministrators
21
IT Security TechnologiesIT Security Technologies
Cisco firewalls and Cisco firewalls and routersrouters
Cymtec Sentry Cymtec Sentry intrusion protection intrusion protection system (IPS), Scout system (IPS), Scout intrusion detection intrusion detection systems (IDS)systems (IDS)
Co-location for Co-location for disaster recoverydisaster recovery
VPN – Virtual Private VPN – Virtual Private NetworkNetwork
Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.
22
Perceived LimitationsPerceived Limitations
“ “ We believe our various protection We believe our various protection layers from different vendors protect layers from different vendors protect us as best as practical. Even though us as best as practical. Even though we have dedicated quite a few we have dedicated quite a few resources, both financial and human, resources, both financial and human, towards security, it allows us to run towards security, it allows us to run smoothly and confidently.”smoothly and confidently.”
- Manager of Technical - Manager of Technical ServicesServices
Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.
23
Examples of RiskExamples of Risk
TrendMicro’s TrendMicro’s OfficeScan on every OfficeScan on every PCPC
Virus-wall for all Virus-wall for all incoming & incoming & outgoing e-mail outgoing e-mail messagesmessages
““Day-zero” attacksDay-zero” attacksJeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.
24
Future Security PlansFuture Security Plans Annual 3Annual 3rdrd party party
penetration testspenetration tests
Segmenting local Segmenting local networknetwork
Eliminate protocols that Eliminate protocols that transmit data and transmit data and passwords in clear-textpasswords in clear-text
Encrypt database fields Encrypt database fields with sensitive datawith sensitive data
Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.
25
Lessons LearnedLessons Learned
“ “ Security isn’t a destination, but rather Security isn’t a destination, but rather a journey. In order to continue smooth a journey. In order to continue smooth operations and gain the confidence of operations and gain the confidence of our customer base we need to make a our customer base we need to make a complete commitment to security, and complete commitment to security, and not take the issues lightly.”not take the issues lightly.”
- Security - Security AdministratorAdministrator
Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.
26
Case Study: Express Case Study: Express Scripts, Inc. Scripts, Inc.
?? What is Express Scripts (ESI)? What is Express Scripts (ESI)?
27
Company OverviewCompany Overview Founded in 1986Founded in 1986 Headquartered in St. Louis, Headquartered in St. Louis,
MissouriMissouri Pharmacy Benefit ManagerPharmacy Benefit Manager 13,000 employees13,000 employees $15.1 billion in revenue in 2004$15.1 billion in revenue in 2004 Ranked 137 on Fortune 500 ListRanked 137 on Fortune 500 List NASDAQ 100NASDAQ 100 Stock split in Summer 2005Stock split in Summer 2005 Subsidiaries include CuraScript Subsidiaries include CuraScript
and ESI Canadaand ESI Canada Customers include employers and Customers include employers and
insurers, generally very insurers, generally very financially savvyfinancially savvy
28
IT BackgroundIT Background One of Information Week’s 500 Most One of Information Week’s 500 Most
Technologically Progressive CompaniesTechnologically Progressive Companies 1,100 employees1,100 employees Three divisions: Application Development, Three divisions: Application Development,
Infrastructure and Architecture, and People, Infrastructure and Architecture, and People, Process and PlanningProcess and Planning
IS Security Officer- Mark KinnunenIS Security Officer- Mark Kinnunen Privacy Officer- Jennifer GoedekePrivacy Officer- Jennifer Goedeke Annual IT budget- $250 million (around 6% of Annual IT budget- $250 million (around 6% of
entire budget)entire budget) Cost of running Security Office- $1.5 millionCost of running Security Office- $1.5 million Cost of current security functionality project- Cost of current security functionality project-
$1 million$1 million Ongoing security administration is imbedded Ongoing security administration is imbedded
within each area’s support costwithin each area’s support cost ESI relies heavily on IT to do business, from ESI relies heavily on IT to do business, from
pharmacy claims processing to member pharmacy claims processing to member website accesswebsite access
Service Center is outsourced to EDSService Center is outsourced to EDS
29
IT ORGANIZATIONIT ORGANIZATIONChief Information Officer
Application Development
Infrastructure & Architecture
People, Process & Planning
Adjudication Services & Quality Assurance
Client & Patient Services
Specialty
Canada
Chief Architect
Infrastructure
Performance & Reliability
Human Resources
Finance
Strategy & Planning
President and CEO
COO
Director, Security Compliance
14 Security Analysts
http://esinet/business/ip/ Viewed on March 8, 2006
30
Information Protection at Information Protection at ESIESI
Information Protection (IP) is chartered Information Protection (IP) is chartered to protect the information assets at to protect the information assets at Express Scripts. It is part of the Express Scripts. It is part of the Information Systems (IS) organization Information Systems (IS) organization and reports to the Chief Information and reports to the Chief Information Officer.Officer.
MissionMissionTo ensure the confidentiality, integrity To ensure the confidentiality, integrity and availability of Express Scripts' and availability of Express Scripts' critical computer resources and assets critical computer resources and assets while minimizing the impact of security while minimizing the impact of security policies and procedures on business policies and procedures on business productivity.productivity.
All employees are responsible for All employees are responsible for information security.information security.
http://esinet/business/ip/ Viewed on March 8, 2006
31
Examples of RiskExamples of Risk External HackersExternal Hackers
-up to 700 attacks against -up to 700 attacks against firewalls dailyfirewalls daily
PhishingPhishing Identity TheftIdentity Theft Employee OversightsEmployee Oversights
- lax about security updates - lax about security updates and computer lockingand computer locking
Disgruntled EmployeesDisgruntled Employees SpamSpam
- 80% of incoming e-mails - 80% of incoming e-mails are spamare spam
Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.
32
Regulations and Regulations and CertificationsCertifications
HIPAAHIPAA Sarbanes-OxleySarbanes-Oxley DITSCAPDITSCAP
Establishes standard processes, Establishes standard processes, activities, tasks, and management activities, tasks, and management structure to certify and accredit structure to certify and accredit Information Systems that will maintain Information Systems that will maintain the integrity and security of the the integrity and security of the Defense Information InfrastructureDefense Information Infrastructure
Jennifer Goedeke, Privacy Officer of Express Scripts, interviewed over the telephone by Cari Wegge, March 20, 2006.
Kimbell, J., Walrath, M. “Life Cycle Security and DITSCAP”, IA Newsletter, Vol. 4, 2, Spring 01, pp. 16-22. http://iac.dtic.mil/iatac
33
IT Security TechnologiesIT Security Technologies Symantec AntiVirus- installed Symantec AntiVirus- installed
on every PCon every PC Tumbleweed system- used to Tumbleweed system- used to
encrypt outgoing e-mails encrypt outgoing e-mails containing PHI and other containing PHI and other confidential dataconfidential data
Remote Access for Personal Remote Access for Personal Computers- provided via a Computers- provided via a Virtual Private Network (VPN)Virtual Private Network (VPN)
Platforms- RACF, AIX, Platforms- RACF, AIX, Mainframe, Sun Solaris, HPUX, Mainframe, Sun Solaris, HPUX, Stratus, VAX/VMS, WindowsStratus, VAX/VMS, Windows
Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.
34
Perceived LimitationsPerceived Limitations
““The most important thing in security The most important thing in security isn’t the technology, it’s the people isn’t the technology, it’s the people using it.”using it.”
- IT Security - IT Security OfficerOfficer
Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.
35
IT security StrategiesIT security Strategies Maintain a consistent approach Maintain a consistent approach
to Information Protection that to Information Protection that supports the delivery of services supports the delivery of services
Maintain controls for the Maintain controls for the protection of information assets protection of information assets that comply with HIPAA and that comply with HIPAA and other regulatory requirements other regulatory requirements
Apply the principle of least Apply the principle of least privilege to protect all sensitive privilege to protect all sensitive data, including PHI data, including PHI
Identify and mitigate security Identify and mitigate security vulnerabilities in a timely manner vulnerabilities in a timely manner
Educate users of information Educate users of information assets about their responsibilities assets about their responsibilities associated with system use associated with system use Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person
by Cari Wegge, February 27, 2006.
36
ESI Security PoliciesESI Security PoliciesNew for 2006:New for 2006: Ethical hacking- evaluate system securityEthical hacking- evaluate system security Payment card masking and retention Payment card masking and retention Users must review and remove Users must review and remove
confidential comments from documents confidential comments from documents prior to external distribution prior to external distribution
Updated for 2006: Updated for 2006: System and network administrators must System and network administrators must
inform Security Compliance of inform Security Compliance of vulnerability assessment tools and usage vulnerability assessment tools and usage
Network and host-based intrusion Network and host-based intrusion detection systems required for Internet-detection systems required for Internet-accessible systems accessible systems
Wireless firewalls required if devices Wireless firewalls required if devices connect to the internal network connect to the internal network
PDA screen saver passwords are required PDA screen saver passwords are required after 15 minutes of inactivity after 15 minutes of inactivity
http://esinet/business/ip/ Viewed on March 8, 2006
37
Future ESI Security PlansFuture ESI Security Plans Establish, implement, and Establish, implement, and
monitor Security Compliancemonitor Security Compliance Identify and mitigate security Identify and mitigate security
vulnerabilities vulnerabilities Ramp up auditing to ensure Ramp up auditing to ensure
legal and regulatory compliance legal and regulatory compliance HIPAA trainingHIPAA training Continued awareness educationContinued awareness education SOX, SAS, DITSCAP auditsSOX, SAS, DITSCAP audits Identity management pilotIdentity management pilot
Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.
38
Lessons learnedLessons learned
““Employee education is the most Employee education is the most important tool that we have.”important tool that we have.”
- ESI Privacy - ESI Privacy OfficerOfficer
Jennifer Goedeke, Privacy Officer of Express Scripts, interviewed over the telephone by Cari Wegge, March 20, 2006.
39
Comparison of Case StudiesComparison of Case Studies
CommonalitiesCommonalities VPNVPN Virus ProtectionVirus Protection Dedicated Department and TeamDedicated Department and Team Restricted User AccessRestricted User Access Documented Policies and PlansDocumented Policies and Plans
DifferencesDifferences IT Security Awareness WeekIT Security Awareness Week Size of Company and DepartmentSize of Company and Department OutsourcingOutsourcing Organizational HierarchyOrganizational Hierarchy Protected Health InformationProtected Health Information
40
2005 Global Security Survey2005 Global Security Survey International survey by Deloitte Touche International survey by Deloitte Touche
TohmatsuTohmatsu
Designed to identify the state of information Designed to identify the state of information security in the financial services industrysecurity in the financial services industry
Included the following:Included the following: 26 of the 120 financial institutions listed 26 of the 120 financial institutions listed
within the Global 500 Companieswithin the Global 500 Companies 28 of the top 100 global banks28 of the top 100 global banks 9 of the top 50 global insurers9 of the top 50 global insurers
Responses from organizations in 26 Responses from organizations in 26 countriescountries
2005 Global Security Survey, Deloitte Touche Tohmatsu Global Financial Services
41
Key FindingsKey Findings Compliance requires input Compliance requires input
from multiple stakeholdersfrom multiple stakeholders Preparation for the evolving Preparation for the evolving
nature of security threatsnature of security threats Growing popularity of the Growing popularity of the
Chief Information Security Chief Information Security OfficerOfficer
Board of Director’s interest in Board of Director’s interest in security must be a security must be a requirement requirement
Assessment of the value and Assessment of the value and impact delivered to the impact delivered to the businessbusiness
The importance of training The importance of training and awarenessand awareness2005 Global Security Survey, Deloitte Touche Tohmatsu Global Financial Services
42
2005 CSI/FBI Computer Crime and 2005 CSI/FBI Computer Crime and Security SurveySecurity Survey
Computer Security Institute (CSI) – world’s Computer Security Institute (CSI) – world’s leading membership organization dedicated leading membership organization dedicated to training and education on the protection of to training and education on the protection of information assetsinformation assets
Participation from FBI’s Computer Intrusion Participation from FBI’s Computer Intrusion SquadSquad
Surveyed 700 IT security professionals in Surveyed 700 IT security professionals in U.S. corporationsU.S. corporations
Survey now in 10Survey now in 10thth year year
Longest running continuous survey in the Longest running continuous survey in the information security fieldinformation security field
L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson. 2005 CSI/FBI Computer Crime and Security Survey
43L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson. 2005 CSI/FBI Computer Crime and Security Survey
44L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson. 2005 CSI/FBI Computer Crime and Security Survey
45L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson. 2005 CSI/FBI Computer Crime and Security Survey
46
Federal RegulationsFederal Regulations HIPAA (1996)HIPAA (1996)
Health Insurance Portability & Health Insurance Portability & Accountability ActAccountability Act
Who can see your medical info and Who can see your medical info and how it can be used?how it can be used?
Gramm-Leach-Bliley Act (1999)Gramm-Leach-Bliley Act (1999) Protection of consumer’s personal Protection of consumer’s personal
financial infofinancial info
Patriot Act (2001)Patriot Act (2001) Government and the individual’s right Government and the individual’s right
to privacyto privacy
Sarbanes-Oxley (2002)Sarbanes-Oxley (2002) Corporate accountabilityCorporate accountability
47
Chief Information Chief Information Security OfficersSecurity Officers
Responsible for all elements of Responsible for all elements of information security programinformation security program
Oversee compliance with federal Oversee compliance with federal regulations (Sarbanes-Oxley, HIPAA)regulations (Sarbanes-Oxley, HIPAA)
Establish threat level for IT securityEstablish threat level for IT security Can be broken down into several positionsCan be broken down into several positions Work closely with CIO & CEOWork closely with CIO & CEO Cost can be prohibitive for smaller Cost can be prohibitive for smaller
companiescompanies
Key Elements of an Information Security Program, Bryant Tow, Director North America Managed Security Solutions at Unisys, copyright Unisys 2004.
482005 Global Security Survey, Deloitte Global Financial Services
49
Best PracticesBest Practices Physical Security MeasuresPhysical Security Measures
Secure workstationsSecure workstations Control of facility and data Control of facility and data
accessaccess EncryptionEncryption
Administrative Security Administrative Security MeasuresMeasures Properly documented Properly documented
security policiessecurity policies Training and awarenessTraining and awareness Security auditsSecurity audits Contingency plansContingency plans
50
Contingency PlansContingency Plans
Managed Security Services Managed Security Services (security outsourcing)(security outsourcing)
IT InsuranceIT Insurance
Disaster RecoveryDisaster Recovery
51L. Gordon, M. Loeb, W. Lucyshyn, 2005 CSI/FBI Computer Crime and Security Survey
52
Contingency PlansContingency Plans
Managed Security Services Managed Security Services (security outsourcing)(security outsourcing)
IT InsuranceIT Insurance
Disaster RecoveryDisaster Recovery
53L. Gordon, M. Loeb, W. Lucyshyn, 2005 CSI/FBI Computer Crime and Security Survey
54
Contingency PlansContingency Plans
Managed Security Services Managed Security Services (security outsourcing)(security outsourcing)
IT InsuranceIT Insurance
Disaster RecoveryDisaster Recovery
55
ConclusionConclusion Status must be communicated clearly Status must be communicated clearly
throughout the organizationthroughout the organization Proper testing and training, including Proper testing and training, including
feedbackfeedback Alignment with business strategyAlignment with business strategy Assessment of the latest threats Assessment of the latest threats IT security must be proactive, not IT security must be proactive, not
reactivereactive
56
Questions?Questions?