security & privacy
Post on 16-Mar-2016
52 Views
Preview:
DESCRIPTION
TRANSCRIPT
Security & PrivacySecurity & Privacy
The changing world of Privacy and The changing world of Privacy and the core drivers.the core drivers.
Privacy IssuesPrivacy Issues
Authentication of a customer prior to disclosure of information.
There is a need to beef up practices, policies and governance while remaining sensitive to customer circumstances in order to anticipate possible privacy issues.
Privacy IssuesPrivacy Issues
Negotiation of confidentiality and privacy provisions in service provider contracts
Service providers must be clear in identifying their obligations, we are not responsible for their compliance obligations.
Privacy IssuesPrivacy Issues
Identity Theft Limit the data that is shared with third
party service providers. Minimize the data to that required for
them to perform their service. Limit data included on customer
communications Needs to know policy and governance
Privacy ImpactsPrivacy Impacts
Privacy impacts to Infrastructure Protection operations.LEA Requests …electronic wiretapBackground checks … (potential)
employeesSecurity Clearances …personal employee
dataFraud … customer information protection
Privacy DriverPrivacy Driver
SOX
Tactical ResponseTactical Response
Data Mining and Correlation
Does the need for protectionof privacy override theBusiness operational needs?
Compliance MatrixCompliance MatrixFunctional Functional
RequirementsRequirementsPCIPCI SOXSOX PrivacyPrivacy
Comprehensive, granular view to know precisely who did what to which information
Be able to reconstruct a wide range of events tied to cardholder information
COBIT and ISO 17799 requirements Disclosure of personal information must be audited
Scales across the enterprise Audit all accesses to cardholder data
Corporations must demonstrate that they have insight into and control over systems that can impact their ability to faithfully report financial status
Disclosure of personal information is audited
Cross-application, Cross-data source
Be able to reconstruct a wide range of events tied to cardholder information, independent of information source
Comprehensive, corporate information sources
Disclosure of personal information must be audited, independent of data source
Real-time architecture Review logs for all system components at least daily.
Limit risk exposure
Detect suspicious or anomalous user behavior
Alert suspicious behavior Alert suspicious behavior Alert suspicious behavior
Policy-based flexibility to respond to changing auditing requirements
SOX doesn’t explicitly define operational control methodologies.
Federal governments, as well as many local governments are currently enacting legislation.
Simplified Reporting Review logs for all system components at least daily.
Corporations must demonstrate that they have insight into and control over systems that can impact their ability to faithfully report financial status
Demonstrate that disclosure of personal information is monitored, logged and audited
Requirement 1010.1 Establish a process for linking all data access activities (especially those with root or administrative privileges) to an individual user or system.
10.2 Implement automated audit trails to reconstruct the following events:
10.2.1 All accesses to customer data
10.2.2 All actions taken by any individual with root or administrative privileges
10.2.3 Access to all audit trails
10.2.4 Invalid logical access attempts
10.2 5 Use of identification and authentication mechanisms
10.2.6 Initialization of the audit logs
10.2.7 Creation and deletion of system level objects
10.3 Record at least the following audit trail entries for each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource
10.5 Secure audit trails so they cannot be altered in any way.
10.6 Review logs for all system components at least daily.
10.7 Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations. An audit history usually covers a period of 2 years or more.
Audit ChecklistAudit Checklist
The SOX Compliance ChallengeThe SOX Compliance Challenge
Section 404 of the Sarbanes-Oxley Act requires Section 404 of the Sarbanes-Oxley Act requires enterprises to have insight into and control over enterprises to have insight into and control over systems that can impact their ability to faithfully systems that can impact their ability to faithfully report financial status. report financial status.
Non-compliance and/or incorrect information can Non-compliance and/or incorrect information can result in punitive penalties.result in punitive penalties.
COBIT 13.6 and ISO 17799COBIT 13.6 and ISO 17799SOX doesn’t explicitly define operational control methodologies. SOX doesn’t explicitly define operational control methodologies. COBIT and ISO 17799 are the two most commonly used frameworks COBIT and ISO 17799 are the two most commonly used frameworks for SOX compliance. for SOX compliance.
Both of these standards demand that a company have insight into the Both of these standards demand that a company have insight into the following areas key to maintaining control over critical data activities:following areas key to maintaining control over critical data activities:
Logins and Logouts Application and data trigger
modifications Changes to user definitions
and privileges Data structure changes
Access to and usage of sensitive data
Errors and exceptions Sources of client access Time of access
The Information Protection and Privacy Challenge
Across the country and around the world, organizations are discovering how serious the threat of information and identity theft can be.
Some are discovering the hard way, as the recent large identity theft incidents major corporate databases illustrate. The cost of failure has proven to include the loss of brand equity and public trust.
Because information and identity theft incidents are typically perpetrated by authorized users, stronger perimeter security and encryption have limited benefit in detecting and stopping them.
Use Cases for Information and Identity Theft
MASQUERADERPhishing, Key log, Spyware
SECONDARY ATTACKSWorms/viruses, Trojans
INACTIVE ACCOUNTSIncomplete Account Decommissioning
ACCIDENTAL MISUSE“innovative” employee
INSIDERGood guy gone bad
WEAK AUTHENTICATIONLost passwords
OUTSOURCINGTrusted partner gone bad
Tactical Response
Data Management“Needs to know”
Privacy can be protectedand business can continuewith a good strategy and a practical tactical response.
The Compliance RealityThe Compliance Reality
Database Logging Traffic Anomaly Systems Intrusion Detection Systems Content Filtering
Traditional security products are not designed to monitor user activities at the data server
Detection of Information TheftDetection of Information Theft
Catching Information Theft requires determining in real time that the BEHAVIOR of an individual’s information access is ANOMALOUS compared to his/her normal access behavior.
Behavior of information access:““WHO is doing WHAT to WHICH and WHO is doing WHAT to WHICH and HOW MUCHHOW MUCH
critical information, WHEN and from WHERE”critical information, WHEN and from WHERE”
Traditional Audit SolutionsTraditional Audit Solutions
Traditional audit solutions are not user behavior Traditional audit solutions are not user behavior aware.aware. TheyThey have been point application-driven, have been point application-driven, custom-coded, after-the-fact report-driven and custom-coded, after-the-fact report-driven and
lacking correlation and analytics.lacking correlation and analytics.
Solution:Solution: Activity Auditing Activity Auditing Provides a comprehensive, granular view into key
compliance activities Transparent solution that scales across the enterprise Policy-based flexibility to respond to changing auditing
requirements Inherently real-time architecture that supplies compliance-
driven audit reports and real-time security alerts and forensic information
Intelligent solution that provides automated correlation and analytics to specify and detect composite or anomalous behavior
PCI CompliancePCI ComplianceSolves the difficult challenge to monitor all access to
cardholder information including:
Identify sensitive data to reduce audit “information glut” Monitor and log access to sensitive data across multiple
applications Audit all actions taken by individuals with root or
administrative privileges Capture full context for each event record, including
exact commands given to data server to facilitate forensic reconstruction of activity and the precise exposure of a PCI violation
Generate audit reports Detect unauthorized access to sensitive information while
it’s happening, in real-time
SOX ComplianceSOX ComplianceProvides a single, flexible, enterprise level solution that can handle both current and future requirements including:
Identify SOX-appropriate assets and activities Monitor privileged user activity to ensure accuracy of
financial information Audit specific data access activity to demonstrate
compliance with documented policies and procedures Capture full context for each event record, including
exact commands given to data server to facilitate forensic reconstruction of activity
Generate audit reports
Information and Identity Theft Protection
Identify sensitive data to reduce audit “information glut”
Monitor and log access to sensitive data across multiple applications
Audit all actions taken individuals with root or administrative privileges Monitor user activity to mission-critical information and applications
Detect unauthorized access to high-risk information while it’s happening, in real-time
Real-time alerting to minimize the impact of breach
ContactContact
William (Bill) G. O’BrienWilliam (Bill) G. O’BrienSystems Security ArchitectSystems Security ArchitectBell CanadaBell Canadawilliam.obrien@bell.cawilliam.obrien@bell.ca905-212-0236905-212-0236
top related