360 security model - holistic approach to security
DESCRIPTION
http://www.logicalsecurity.com/education/education_overview.htmlThe 360 Security Model is an approach to security. It explains Risk analysis, management and metrics, Enterprise security architecture, Security governance, Security legal and regulatory compliance - http://www.logicalsecurity.comTRANSCRIPT
Security TodaySecurity Today
Shon HarrisShon HarrisSecurity consultant, educator, authorSecurity consultant, educator, author
Presentation is Proprietary and Cannot be Reused without Permission
360 Security Model360 Security Model
Holistic Approach to SecurityHolistic Approach to Security
Every Organization has these EXACT issues…
• The responsibility of securing an organization is falling into the laps of individuals who are not security professionals.
• This is because security is no longer just a technology issue, but is now a business issue that must be dealt with at all levels of an organization.
• The biggest hurdle is that the individuals in the industry have a difficult time understanding the ultimate goals of a secure enterprise architecture in a way that allows them to break them down into achievable steps.
• This is not because they are ignorant or incapable, but every organization is struggling with the exact same questions;• How do we setup a security enterprise architecture?• How do we setup an enterprise risk management model?• How do we implement security governance?• How do we know what “enough security” means?
• We are recognizing that more than technical people need to be involved, but cannot figure out how to integrate security into business process.
Are There Gaps?Are There Gaps?Do the departments responsible for these different types ofDo the departments responsible for these different types of
security communicate and work well together in your company?security communicate and work well together in your company?
Most Organizations…Most Organizations…
► Do not fully realize that Do not fully realize that there is a there is a structured waystructured way of rolling out and of rolling out and maintaining a security programmaintaining a security program
► Organizations are bombardedOrganizations are bombarded with with products, consultants, too much products, consultants, too much information, and service and product information, and service and product companies with their own agendascompanies with their own agendas
► By not following a structured approach, By not following a structured approach, organizations are wasting time, organizations are wasting time, wasting wasting moneymoney, experiencing security compromises, , experiencing security compromises, and failing auditsand failing audits
Common Pain PointsCommon Pain PointsEvery organization is Every organization is RECREATING THEIR OWN RECREATING THEIR OWN
WHEELWHEEL when it comes to developing a when it comes to developing a secure enterprise architecture.secure enterprise architecture.
This only adds layers of confusion
because no one fully
understands the overall
goals or how to accomplish
them.
No Enforcement – Just No Enforcement – Just DocumentsDocuments
But We Have ModelsBut We Have Models
► CobiTCobiT► ISO 17799/BS 7799ISO 17799/BS 7799► NIST documentsNIST documents► SABSASABSA► Etc.Etc.
CobiT – Control ObjectivesCobiT – Control Objectives5.1 Management of IT Security
Manage IT Security at the highest appropriate organizational level …
5.2 IT Security Plan
Translate business information requirements, IT configuration, information risk action plans, and information security culture …
5.3 Identity Management
All users (internal, external, and temporary) and their activity on IT systems (business application, system operation…)
5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges …
5.5 Security Testing, Surveillance, and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically …
Industry Best Practices Industry Best Practices StandardsStandards
BS/ISO I7799BS/ISO I7799 Guidelines on range of controls for implementing security Guidelines on range of controls for implementing security Best practices for security managementBest practices for security management Divided into 10 sectionsDivided into 10 sections
Security policySecurity policy Security organizationSecurity organization Assets classification and controlAssets classification and control Personnel securityPersonnel security Physical and environmental securityPhysical and environmental security Computer and network managementComputer and network management System access controlSystem access control System development and maintenanceSystem development and maintenance Business continuity planningBusiness continuity planning ComplianceCompliance
NIST GuidelinesNIST Guidelines
SABSA ModelSABSA Model
http://www.sabsa-institute.org/UserFiles/Image/3-framework.png
Result of Trying to Understand Result of Trying to Understand all Approachesall Approaches
Exactly Where Are We Trying to Exactly Where Are We Trying to Go?Go?
► Risk ManagementRisk Management► Enterprise Security ArchitectureEnterprise Security Architecture► Security Governance Security Governance ► Security Legal and Regulatory Security Legal and Regulatory
ComplianceCompliance► Staying out of the HeadlinesStaying out of the Headlines
Need Risk Management Need Risk Management Now?Now?
Does your team know how to develop and role this out?
Goal of Enterprise Security Goal of Enterprise Security Architecture = Security at All Architecture = Security at All
LevelsLevels
Security is to be in alignment with organization’s strategic
goals.
Enterprise Security ArchitectureEnterprise Security Architecture
Strategic alignmentStrategic alignment Business enablementBusiness enablement Process enhancementProcess enhancement Security effectivenessSecurity effectiveness
WithoutWithout an Enterprise Security an Enterprise Security ArchitectureArchitecture
Security only takes place at the Security only takes place at the technical technical levellevel
Continual confusion and Continual confusion and repeating repeating expensive mistakesexpensive mistakes
Stovepipe solutionsStovepipe solutions, which costs more , which costs more in maintenance and integrationin maintenance and integration
►Depending upon point solutions, not Depending upon point solutions, not enterprise solutions enterprise solutions
Unable to use enterprise information to Unable to use enterprise information to make solid make solid business decisionsbusiness decisions
Continually putting out fires Continually putting out fires ►ReactiveReactive versus proactive versus proactive
Security GovernanceSecurity Governance
““Security governance is the set of Security governance is the set of responsibilities and practices exercised by the responsibilities and practices exercised by the
board and executive management with the board and executive management with the goal of providing strategic direction, ensuring goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that that objectives are achieved, ascertaining that
risks are managedrisks are managed
appropriately and verifying that the enterprise’s appropriately and verifying that the enterprise’s resources are used responsibly.”resources are used responsibly.”
- IT Governance Institute - IT Governance Institute
All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.
Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.
CISO took some boilerplate security policies, inserted his company’s name, then had the CEO sign them.
Executive management sets an acceptable risk level that is the basis for the company’s security policies and all security activities.
CEO, CFO and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved.
CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review.
Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits.
Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches.
Company BCompany A
The organization does not analyze its performance for improvement, but does continually march forward and makes the same mistakes over and over again.
The organization is continuing to review its business processes, including security, with the goal of continued improvement.
Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness. Company has a false sense of security because it is using products, consultants, and/or managed services.
Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.
Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.
Employees are held accountable for any security breaches they participate in, either maliciously or accidentally.
Business processes are not documented and are not analyzed for potential risks that can affect operations, productivity, and profitability.
Critical business processes are documented along with the risks that are inherent at the different steps within the business processes.
Company BCompany A
Security Governance = Security Governance = Managing Security at All LevelsManaging Security at All Levels
After Looking at the Pretty After Looking at the Pretty GraphicsGraphics
Information Security Information Security MantraMantra
““Security needs to be a business Security needs to be a business process” process”
Great strategic goal – but many organizations Great strategic goal – but many organizations will never get there under their current will never get there under their current
approaches.approaches.
What are We Doing Today?What are We Doing Today?► Lack of true understanding of overall goalsLack of true understanding of overall goals► Detailed structure is not fully developed firstDetailed structure is not fully developed first► Bringing in expensive consultantsBringing in expensive consultants► Purchasing productsPurchasing products► Using managed security servicesUsing managed security services► Sending staff to technical security coursesSending staff to technical security courses
IT and technologists
Department Managers
C-Level Individuals
CEO and
Board
Generic Technology Training
Consultants
Managed Services
Products
Why Is Our Current Model Why Is Our Current Model Dangerous?Dangerous?
► No real roadmap, so the team is not marching forwardNo real roadmap, so the team is not marching forward Continually chasing their own tailsContinually chasing their own tails
► Not making educated and informed decisionsNot making educated and informed decisions Making the Making the same expensive mistakessame expensive mistakes over and over over and over Relying too heavily on vendorsRelying too heavily on vendors
► Lack of continual and useful Lack of continual and useful communicationcommunication between between corporate levelscorporate levels
► Risk management is talked about, but Risk management is talked about, but not understoodnot understood or or implementedimplemented
► Accountability is Accountability is not truly enforcednot truly enforced► Point solutionsPoint solutions instead of enterprise solutions are rolled out instead of enterprise solutions are rolled out► Plans are built around Plans are built around technology technology and not solution and not solution
processesprocesses► People who are responsible for People who are responsible for putting out firesputting out fires are also are also
trying to develop strategy trying to develop strategy
Security Consulting IssuesSecurity Consulting Issues
COMMUNICATIONCOMMUNICATION
Knowledge Requirements and Communication Channels
There Are Cookie Cutter There Are Cookie Cutter ApproachesApproaches
Break Your Three Year Plan Break Your Three Year Plan DownDown
Project Project management management is required to is required to
keep everyone keep everyone in step and on in step and on
tracktrack
Phases Need Useful Detail and Phases Need Useful Detail and GoalsGoals
Mapping Requirements to Mapping Requirements to Security ProcessesSecurity Processes
Security Program Components are the Security Program Components are the Categories of Control ObjectivesCategories of Control Objectives
Security Program Security Program SubcomponentsSubcomponents
Defining the Surrounding Defining the Surrounding Process around Specific Process around Specific
SubcomponentsSubcomponents
ExampleExampleVulnerability ManagementVulnerability Management
Almost all regulations require Almost all regulations require vulnerability management. vulnerability management.
There are about 100 different ways that There are about 100 different ways that vulnerability management is termed in vulnerability management is termed in
the various laws and regulations.the various laws and regulations.
The difficulty is developing and implementing The difficulty is developing and implementing a successful VM program and ensuring that it a successful VM program and ensuring that it
maps to all compliancy requirements. maps to all compliancy requirements.
You Need a Fully Functional You Need a Fully Functional ProgramProgram
Vulnerability Management Program ProcessVulnerability Management Program Process Define roles and responsibilitiesDefine roles and responsibilities Develop VM baselines and metricsDevelop VM baselines and metrics Develop threat classifications (high, medium, low)Develop threat classifications (high, medium, low) Identify and inventory assetsIdentify and inventory assets Create CSIRTCreate CSIRT Develop procedures for incident handlingDevelop procedures for incident handling Develop communication channels for incident data disseminationDevelop communication channels for incident data dissemination Carry out vulnerability assessmentsCarry out vulnerability assessments Carry out penetration testsCarry out penetration tests Receive vendor vulnerability alertsReceive vendor vulnerability alerts Validate vulnerability alerts against your inventory of assetsValidate vulnerability alerts against your inventory of assets Classify new vulnerability (high, medium, low)Classify new vulnerability (high, medium, low) Test remediation (patches, hotfix) and deploy – patch managementTest remediation (patches, hotfix) and deploy – patch management Implement preventive controls based on new vulnerability releases Implement preventive controls based on new vulnerability releases Audit vulnerability management processes and continually improveAudit vulnerability management processes and continually improve
Qualys, Foundstone Scanner, and ISS cannot do all of this for you. The product is just one
component of the process.
Another ExampleAnother ExampleData Classification and Data ProtectionData Classification and Data Protection
Necessary steps of this process;Necessary steps of this process; Risk assessment of not protecting sensitive dataRisk assessment of not protecting sensitive data Define sensitive data as it maps to business driversDefine sensitive data as it maps to business drivers Define classification criteria (determine value of data via business impact Define classification criteria (determine value of data via business impact
analysis)analysis) Define data owner and custodian responsibilitiesDefine data owner and custodian responsibilities Develop the necessary policies, standards, guidelines and procedures for internal Develop the necessary policies, standards, guidelines and procedures for internal
useuse Know how to detect “sensitive data” at rest and in transitKnow how to detect “sensitive data” at rest and in transit Mitigating third party risks (they have copies of sensitive data your are Mitigating third party risks (they have copies of sensitive data your are
responsible for protecting)responsible for protecting) Response procedures when users attempt to release sensitive data and Response procedures when users attempt to release sensitive data and
enforcement tacticsenforcement tactics Document data classification process, which includes a risk matrix, and control Document data classification process, which includes a risk matrix, and control
descriptions for auditors and compliancedescriptions for auditors and compliance Know how to modify classification criteria based on business and regulatory needs Know how to modify classification criteria based on business and regulatory needs Understanding data protection controls that should be in place;Understanding data protection controls that should be in place;
► Access control Access control ► User provisioning User provisioning ► EncryptionEncryption► Digital rights managementDigital rights management► MonitoringMonitoring
Training on data classification program, processes, and product useTraining on data classification program, processes, and product use Integrate data classification and data protection processes into internal auditing Integrate data classification and data protection processes into internal auditing
practicespractices Develop documentation and resources for external auditors for compliancy Develop documentation and resources for external auditors for compliancy
validationvalidation
This Level of Detail Per Program This Level of Detail Per Program ComponentComponent
Program Components
When?When?
Do you have to accomplish all of this Do you have to accomplish all of this today?today? In a week?In a week? In a year?In a year? In 2 years?In 2 years?
No, but you need a plan today and if it is worthless you will not accomplish
this stuff in 10 years!
3 Year Plan – Are Your Phases 3 Year Plan – Are Your Phases Even Useful – or Too High Level?Even Useful – or Too High Level?
Structure or Chaos – or In Between?Structure or Chaos – or In Between?
If you don’t know where you are, you can’t get If you don’t know where you are, you can’t get to where you want to go.to where you want to go.
Security Programs…Security Programs…
Swamp guides become
more valuable than security architects
All OrganizationsAll Organizations
We are currently around here
We Need to EvolveWe Need to Evolve► We need a new model to empower We need a new model to empower
organizations and allow them to understand organizations and allow them to understand security in business termssecurity in business terms
► We need a model that takes the theoretical We need a model that takes the theoretical best practices and turns them into practical best practices and turns them into practical action itemsaction items
► Companies need to be able to take ownership Companies need to be able to take ownership of their internal security programof their internal security program
The current approach will continue to provide a gap between what we preach and what we practice.
Holistic, integrated security, that is integrated into business processes.
Security Maturity EvolutionSecurity Maturity Evolution
Security MetricsMeasure the efficiency, effectiveness, value, and continuous performance
improvement of the individual security process
Evolution
InitiateStakeholder
SecurityProgram
Stakeholder sponsored program with
responsibilities assigned
Security Architecture
Architecture principles and policies in place to define
core security functions
AssuranceAuditing, monitoring, and reporting processes and controls in place to
ensure they are meeting standards and that they are effective
Security Technical Framework
Establishment of standards and technologies to support stakeholder
interaction
Security Organizational
StructureIndividuals and organizations
assigned responsibility, accountability, and authority to
support the infrastructure
Documented Strategy, Principles,
and PolicyClearly defined set of
technology-independent policies developed from the
business strategy
Compliance and Certification
Establish compliance measurement and reporting system
Baseline Security Standards
Security controls defined to establish a consistent basis
for managing risk
Se
cu
rity
Ca
pa
bil
ity
Defined
Integrated
Optimized
Level 1
Level 2
Level 3
How to be SuccessfulHow to be Successful► Gather much more data – do not work in a Gather much more data – do not work in a vacuumvacuum► Break the pieces down into Break the pieces down into achievable goalsachievable goals that are that are
inexpensiveinexpensive Quick wins will be much quickerQuick wins will be much quicker
► Learn from each phase, improve, and Learn from each phase, improve, and incorporate knowledgeincorporate knowledge into next phaseinto next phase
► Phases will allow the group to understand more about the Phases will allow the group to understand more about the current processes and business as a wholecurrent processes and business as a whole
► Use products that are currently in-house and in the market to Use products that are currently in-house and in the market to accomplish many of these tasks through accomplish many of these tasks through automationautomation
► Do not create metrics, baselines, processes “in the dark” – Do not create metrics, baselines, processes “in the dark” – which would which would waste a lot of money and be uselesswaste a lot of money and be useless
► Provide a Provide a structuredstructured risk-based approach that is measurable risk-based approach that is measurable and controllable and controllable
► Understand how to incorporate security into Understand how to incorporate security into business unitsbusiness units and processesand processes
► Understand how to continually Understand how to continually improve and be innovativeimprove and be innovative in a in a healthy mannerhealthy manner
► Protect the company in a more Protect the company in a more effectiveeffective and understandable and understandable processprocess
Success of FailureWhat will Allow this Project to Succeed?
Take the time to gather all of the necessary data before running forward
Get feedback from all departments that would be involved and affected
Provide real information for decision makers and not superficial data
Solid and reasonable phased approach
Realize and communicate the true benefit that this will provide for ALL security needs and departments
Realize that this is a long jog, not a short sprint
What will Cause this Project to Fail?
If necessary resources and funds are not provided through ALL PHASES
Viewed as a bottleneck for business expansion. Must be enforced as a “must have” not a “nice to have”
If one person does not own this process and keep people on track
More communication does not take place
Wrong people are on the security committee
Other projects take precedence and motivation fades
Improvement Will Not Happen Improvement Will Not Happen AccidentallyAccidentally
Shon HarrisShon Harris
www.LogicalSecurity.comwww.LogicalSecurity.com
(888) 373-5116(888) 373-5116
[email protected]@LogicalSecurity.com
Logical Security is on the GSA Schedule and is a woman-owned, Logical Security is on the GSA Schedule and is a woman-owned,
veteran owned companyveteran owned company