Advantages of IT SecurityAdvantages of IT Security

Prof. Uldis Sukovskis, CISA Riga Information Technology Institute

Secure information exchange in Electronic media

Baltic IT&T 2006

April 5, 2006, Riga, Latvia

2

Today's EnvironmentToday's Environment Collaboration

• Individuals

• Business Partners

• Industries

• Global businesses

Trusted partnersTrusted partners

3

Today's EnvironmentToday's Environment Traditional

• customer business IT support

E-business

• customer IT solution business

Trusted IT solutionsTrusted IT solutions

4

Today's EnvironmentToday's Environment

Does IT becomes commodity?

• Resources on demand

Standardization Trusted technologiesTrusted technologies

5

Today's EnvironmentToday's Environment Concerns

• Breaches of confidentiality• Disruption of business operations• Theft of intellectual property

“The wonder of the Web is that the customer knows about IT problems the same time you do. There’s no camouflage.” Senior VP of Electronic Brokerage Technology

The Computer Crime and Security Survey,CSI/FBI, 2005

6

Competitive AdvantageCompetitive Advantage

High service level for customers Complex technology (additional risk) Public image and branding Compliance Business resilience

New Driver - Trust and DifferentiationNew Driver - Trust and Differentiation• Security as a differentiatorSecurity as a differentiator

Competitiveness• for businesses• for countries

7

Fundamental Principles Fundamental Principles of Securityof Security

Confidentiality • Passwords, biometric controls, identity management

systems, ...• Encryption, VPN, SSL, SET ...

Integrity• Digital signatures, PKI, anti-virus software, ...

Availability• Backup systems, continuity plans, ...

8

RegulationsRegulations State Secrets Law, 1996 Personal Data Protection Law, 2000 State Information Systems Law, 2002 Electronic Documents Law, 2002

Obligatory technical and organizational requirements for protection of personal data processing systems, Cabinet of Ministers Regulation No.40, January 30, 2001

Common Security Requirements for State Information Systems, Cabinet of Ministers Regulation No.765, October 11, 2005

Regulations on Security Audits of Certification Authorities, Cabinet of Ministers Regulations No.357 and No.358, July 1, 2003

and more ...

9

RegulationsRegulations

State Standards• LVS ISO/IEC 17799:2005 Information technology – Code of

practice for information security management• LVS ISO/IEC TR 13335:2003 Information technology -

Guidelines for the management of IT Security • LVS ISO/IEC 15408:2003 Information technology – Security

techniques — Evaluation criteria for IT security• LVS ISO/IEC 12207:2002 Information technology – Software

life cycle processes• and more ...

Regulations of the Financial and Capital Market Commission

• Regulations on the Security of Information Systems of Financial and Capital Market Participants

• Regulations on Information Encryption and Electronic Signing• and more ...

10

Does a Stronger Lock Help?Does a Stronger Lock Help?

11

Scope of IT SecurityScope of IT Security

Too often IT security issues are treated in the narrow sense as technologies protecting against viruses, spam, spyware, “bad guys”, etc.

Scope of IT security includes also• business continuity planning• software development issues• personnel security • security awareness program• and more...

12

Scope of IT SecurityScope of IT Security

LVS ISO/IEC 17799:2005

Security Policy Organization of Information security Asset Management Human Resource Security Physical and Environmental Security Communications and Operations Management Access control IS Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance

13

IT Security FrameworkIT Security Framework

Use proven values to win competition

• COBIT to build IT governance

• ISO/IEC 17799 to manage IT security

Access control

Asset Management

Security policy

Organization of Information security

Human Resource Security

Physical and environmental

security Communications and operationsmanagement

IS Acquisition, Development,

and Maintenance

Information Security Incident Management

Compliance

Integrity Confidentiality

Availability

Business continuity management

14

Scope of IT AuditScope of IT Audit

Assessment of

• IT support for company’s business objectives• IT function compliance with regulatory requirements • IT project cost and schedule control• IT solution benchmarking to industries’ best practice• IT security

Independent audit• ISACA Latvia, 60+ members (www.isaca.lv)• 48 certified IS auditors (CISA) and certified security

managers (CISM)

Thank You for Your Attention!Thank You for Your Attention!

uldis.sukovskis@riti.lv

www.riti.lv