assocham conf grc sept 13

Cyber Governance & Business Assurance in Cyber Era-Challenges Before the Corporates

Prof. K. Subramanian SM(IEEE, USA), SMACM(USA), FIETE, SM(IEEE, USA), SMACM(USA), FIETE,

SMCSI,MAIMA,MAIS(USA),MCFE(USA)SMCSI,MAIMA,MAIS(USA),MCFE(USA)

Founder Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU

EX- IT Adviser to CAG of IndiaEx-DDG(NIC), Ministry of Comm. & IT

Emeritus President, eInformation Systems, Security, Audit Association

Former President, Cyber Society of India

22

Agenda• Introduction• Cyber Governance & Governance

components• Risk assurance(Modelling & other

approaches)• Standards & Compliance • Assurance Framework & PPP• Challenges for Technologists & Businesses

3

Notable Quotes"The poor have sometimes objected to being

governed badly; the rich have always objected to being governed at all." G. K. Chesterton

“Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle

“The law is the last interpretation of the law given by the last judge.”- Anon.

“Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’)

"Technology makes it possible for people to gain control over everything, except over technology" John Tudor

10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 44

MEDIATING FACTORS:MEDIATING FACTORS: Environment Environment Culture Culture

Structure Structure Standard Procedures Standard Procedures Politics Politics Management Decisions Management Decisions Chance Chance

ORGANIZATIONSORGANIZATIONS INFORMATION INFORMATION TECHNOLOGYTECHNOLOGY


Principles of Good GovernanceLeadershipSelflessnessIntegrityObjectivityAccountabilityOpennessHonesty

Humane GovernanceShould be CreativeUses Knowledge for

National Wealth and Health creation

Understands the economics of Knowledge

High Morality


Governance ComponentsProject GovernanceIT GovernanceLegal GovernanceSecurity GovernanceHuman & Humane Governance


Cyber Governance Components Environmental & ICT Infrastructure

Operational (logistics Integration)

Technology (synergy & Convergence)

Network (multi Modal Network)

Management (HRM & SCM &CRM)

Impact (feed-back correction)

Operational Integration (Functional)

Professional Integration (HR) Emotional/Cultural Integration Technology Integration


Corporate GovernanceBusiness Assurance Framework

Global Phenomena Combines Code of

UK and SOX of USABasel II & IIIProject GovernanceIT GovernanceHuman & Humane

Governance

India Initiatives1. Clause 492. Basel II & III -RBI3.SEBI- Corporate

Governance Implementation directives

4.Risk management-RBI & TRAI

5. MCA Initiatives

8


Global issues with Governance ofCyber Space

Information Technology & Business: current status and future

Does IT matter? IT--enabled Business - Role of Information, Information Systems - In business - Role of information technology in enabling

business - IT dependenceChanging Role of the CIOWeb 2.0 and 3.0 and governing cyberspaceeBusiness, eHealth, eBanking, eGovernanceCurrent Challenges and Issues

9

Creating Trust in an Enterprise

Today's information explosion is creating challenges for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world.

What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company.

10

11

Transition: InsuranceAudit Assurance &

Assurance Layered Framework Insurance Audit

Pre, Concurrent, Post IT Audit

Environmental Operational Technology Network Financial Management Impact

Electronics Continuous Audit Certification Assurance

Management & Operational Assurance

(Risk & ROI) Technical Assurance

(Availability, Serviceability & Maintainability)

Financial ASSURANCE Revenue Assurance (Leakage & Fraud) Legal Compliance &

Assurance (Governance)

Why Assurance?Competitive Threats & Way Forward

Internal Competition from Liberalization

World Competition from Globalization

Entrenched Competition Abroad

Asymmetry in Scale, Technology, Brands

Industry Shakeouts and Restructuring

Learn more about own Businesses.

Reach out to all Business & Function Heads.

Sharpen Internal Consultancy Competences.

Proactively Seize the Repertoire of MS & Partners

Foster two way flow of IS & Line Talent.

10th september 2013 12Prof. KS@2013 Assocham conf GRC 2013

13

Key Areas of AssuranceKey Areas of Assurance

• OrganizationalOrganizational

- Systems in place to identify & mitigate differing risk perceptions of - Systems in place to identify & mitigate differing risk perceptions of

stakeholders to meet business needs stakeholders to meet business needs

• Supplier Supplier

- Confidence that controls of third party suppliers adequate & - Confidence that controls of third party suppliers adequate & meets meets

organization’s benchmarksorganization’s benchmarks

• Business Partners Business Partners

- Confirmation that security arrangements with partners assess & - Confirmation that security arrangements with partners assess & mitigate mitigate

business riskbusiness risk

• Services & IT Systems Services & IT Systems

- Capability of developers, suppliers of IT services & systems to - Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s implement effective systems to manage risks to the organization’s businessbusiness

14

What and Why of Business What and Why of Business AssuranceAssurance

• Manufacturing: Developing & implementing policies & Manufacturing: Developing & implementing policies & procedures to procedures to ensure operations are ensure operations are efficient, consistent, effective & efficient, consistent, effective & compliant with compliant with lawlaw

• ServicesServices : Process that establishes uninterrupted : Process that establishes uninterrupted delivery of delivery of services to customer and services to customer and protects interest & protects interest & information information

• ProjectProject : Confirmation that business case viable and actual : Confirmation that business case viable and actual costs and time lines in line with plan costs and time lines in line with plan

costs & schedulescosts & schedules

• ObjectiveObjective : Delivers significant commercial value to the : Delivers significant commercial value to the business while fully business while fully

compliant with regulatory compliant with regulatory requirementsrequirements

: To avoid Enron type scandals and comply with : To avoid Enron type scandals and comply with Sarbanes Oxley in US and Clause 49 in India Sarbanes Oxley in US and Clause 49 in India

15

Assurance StakeholdersAssurance Stakeholders

Stakeholders

for business

assurance

Board of Directors

Management

Staff/Employees

Organisation

Customers

Public

Suppliers

Enforcement

& regulatory

authorities

Owner

Creditors

Shareholders

Insurers

Business partners

16

Benefits of Assurance Benefits of Assurance

• Contributes to effectiveness & efficiency of business operationsContributes to effectiveness & efficiency of business operations

• Ensures reliability & continuity of information systemsEnsures reliability & continuity of information systems

• Assists in compliance with laws & regulationsAssists in compliance with laws & regulations

• Assures that organizational risk exposure mitigatedAssures that organizational risk exposure mitigated

• Confirms that internal information accurate & reliableConfirms that internal information accurate & reliable

• Increases investor and lenders confidenceIncreases investor and lenders confidence

17

Benefits of Assurance Benefits of Assurance

• Supports informed decision making at management and Board Supports informed decision making at management and Board levellevel

• Identifies and exploits areas of risk based advantageIdentifies and exploits areas of risk based advantage

• Ability to aggregate business unit risk in multiple jurisdictions & Ability to aggregate business unit risk in multiple jurisdictions & locationslocations

• Demonstrates proactive risk stewardshipDemonstrates proactive risk stewardship

• Establishes a process to stabilize results by protecting them from Establishes a process to stabilize results by protecting them from disturbancedisturbance

• Enables independent directors to decide with comfort and Enables independent directors to decide with comfort and confidenceconfidence

1818

Business - technical G

ove

rnm

en

t

reg

ula

tory

Go

vern

me

nt

deve

lopm

ent

al

Bu

siness –

fina

ncial

Civil society

-

informational

Civil society - technical

ICT operations and maintenance

ICT planning and design

Investment in R & D

Marketing and distribution Project management

and construction Training

Borrowing capacity

Capital investment, eg network expansion

ICT technical solutions

Revenue collection

ICT Risk/venture capital

Sales and promotions

Subsidies

Access to development finance

ICT Regulatory powers – price, quality, interconnections, competition)

ICT Transaction/ concession design

Investment promotion

Legal framework for freedom of information

ICT Infrastructure strategy

ICT skills development

Innovation (high risk), eg community telecentres

Local customer knowledge

Capacity to network

A voice for the socially excluded

Expertise in design of ‘relevant’ content

Knowledge of user demand, eg

technology and information gaps

Capacity to mobilise civil society

Human Capacity ICT technicians in govt, business

and civil societyICT user-awareness and skills

Support for Entrepreneurs

Infrastructure Suitable primary architecture

Suitable secondary technology Acceptable cost/risks of

deploymentUniversal access (rural/urban)Adequate subscriber density

EnterpriseAccess to finance and credit

Supportive property rights and commercial lawDevelopment of ICT suppliers and service SMEs

Stimulation of demand, eg govt ‘leads by example’ through procurement

Policy and RegulationsInvestment promotion and

ownership rulesFair tax regimes for business

and society Transparent policy making

Effective regulatory frameworks (price, quality, interconnection,

competition)Adequate institutional capacity

Content and ApplicationsRelevant to development goals

and user needs, eg voice, e-mail, nat/global connectivity Content compatible with

education, cultural sensitivities and language

Affordable access (equipment, connection and content)

Human Capacity

Infrastructure

Enterprise Content & Applications

Policy and Regulation

strategic compact / partnerships

Civil so

ciety

-

info

rma

tiona

l

Design Parameters

1919

Operational Integration

Professional Integration (HR)

Emotional/Cultural Integration

ICT & Government Business & Services Integration

Multi Technology coexistence and seamless integration

Information Assurance

Quality, Currency, Customization/Personalization

ICE is the sole integrator IT Governance is Important

Managing InterdependenciesCritical IssuesInfrastructure characteristics (Organizational,

operational, temporal, spatial)

Environment (economic, legal /regulatory, technical, social/political)

Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)

Type of failure (common cause, cascading, escalating)

Types of interdependencies

(Physical, cyber, logical, geographic)

State of operations

(normal, stressed /disrupted, repair/restoration)

. 20

21

Towards Information Assurance

Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity.

That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms“

--Jane Scott-Norris, CISO at the U.S. State Department

22

Up The Value Chain

Enabling to rapidly move up the Governance Evolution Staircase

Strategy/PolicyPeopleProcessTechnology

3. TransactionCompetition

Confidentiality/privacy

Fee for transaction

E-authentication

Self-services

Skill set changes

Portfolio mgmt.

Sourcing

Inc. business staff

BPR

Relationship mgmt.

Online interfaces

Channel mgmt.

Legacy sys. links

Security

Information access

24x7 infrastructure

Sourcing

Funding stream allocations

Agency identity

“Big Browser”

Job structures

Relocation/telecommuting

Organization

Performance accountability

Multiple-programs skills

Privacy reduces

Integrated services

Change value chain

New processes/services

Change relationships(G2G, G2B, G2C, G2E)

New applications

New data structures

Time

2. InteractionSearchable

Database

Public response/ email

Content mgmt.

Increased support staff

Governance

Knowledge mgmt.

E-mail best prac.

Content mgmt.

Metadata

Data synch.

Search engine

E-mail

1. Presence

Publish

Existing

Streamlineprocesses

Web site

Markup

Trigger

4. Transformation

Cost/Complexity

Define policy and outsource execution

Retain monitoring and control

Outsource service delivery staff

Outsource process execution staff

Outsource customer facing processes

Outsource backend processes

Applications

Infrastructure

Value

5. Outsourcing

Constituent

Evolve PPP model

23

Why information security Governance is important

With security incidents and data breaches having a huge impact on corporations, security governance or oversight by the board and executive management, has assumed importance.

Security governance refers to the strategic direction given by the board and executive management for managing information security risks to achieve corporate objectives by reducing losses and liabilities arising from security incidents

24

Towards Security GovernanceSecurity governance

would lead to development of an information security strategy and an action plan for implementation through a well defined information security program. Governance would lead to establishment of organizational structures and processes and monitoring schemes

For the past few years, IT and security professionals have talked about information technology – and particularly information security – as a "business enabler." Today, it might also be called a "compliance enabler." IT and security organizations have both been on the front lines for compliance efforts and are now being asked to play two pivotal roles:

first, to provide a secure, well-controlled IT environment to improve business performance

and second, to assist the organization in strategically and tactically addressing its governance, risk and compliance requirements

2510th september 2013 Prof. KS@2013 Assocham conf GRC 2013

Threat & Vulnerability Management

Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure

Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards

Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication

Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration

You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.

You need to protect both your own information assets and those you are custodian of, such as sensitive customer data.

You want a real-time, integrated snapshot of your security posture.

You want to correlate events from data emerging from multiple security touch points.

You need support from a comprehensive inventory of known threat exposures.

You need to reduce the cost of ownership of your threat and vulnerability management system


Risk Identification Assess current security capabilities, including threat management, vulnerability

management, compliance management, reporting and intelligence analysis. Define c Identify technology requirements for bridging security gaps Integrated Security Information Management Develop processes to evaluate and prioritize security intelligence information

received from external sources, allowing organizations to minimize risks before an attack

Implement processes that support the ongoing maintenance, evolution and administration of security standards and policies

Determine asset attributes, such as direct and indirect associations, sensitivity and asset criticality, to help organizations allocate resources strategically

Assist in aggregating security data from multiple sources in a central repository or "dashboard" for user-friendly presentation to managers and auditors

Help design and implement a comprehensive security reporting system that provides a periodic, holistic view of all IT risk and compliance systems and outputs

Assist in developing governance programs to enforce policies and accountability

27

28

9 Rules of Risk Management There is no return without risk

Rewards to go to those who take risks.

Be Transparent Risk is measured, and managed by

people, not mathematical models. Know what you Don’t know

Question the assumptions you make Communicate

Risk should be discussed openly Diversify

Multiple risk will produce more consistent rewards

Sow Discipline A consistent and rigorous approach

will beat a constantly changing strategy

Use common sense It is better to be approximately right,

than to be precisely wrong. Return is only half the question

Decisions to be made only by considering the risk and return of the possibilities.

RiskMetrics Group



The Insider – Who are They?

Who is an insider? Those who work for the target organization or those having relationships with

the firm with some level of access Employees, contractors, business partners, customers etc.

CSI/FBI Survey key findings (2007-2013) average annual losses $billion in the past year, up sharply from the $350,000

reported previous year Insider attacks have now surpassed viruses as the most common cause of

security incidents in the enterprise 63 percent of respondents said that losses due to insider-related events

accounted for 20 percent of their losses (prevalence of insider criminals may be overblown by vendors of insider threat

tools!)


Solutions Based on Study RecommendationsPrevention by

Pre-hire screening of employeesTraining and education

Early detection and treat the symptomsAttack precursors exist, some non-cyber events

Establish good audit proceduresDisable access at appropriate timesDevelop Best practices for the prevention and

detectionSeparation of duties and least privilegeStrict password and account management policies


Threat Modeling

Threat modeling is critical to address securityPrevention, detection, mitigation

There is no universal model yetMostly case-by-caseEfforts are under wayMicrosoft threat modeling tool

Allows one to uncover security flaws using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege)

Decompose, analyze and mitigate Insider threat modeling essential


Insider Threat ModelingHow modeling can help you?

An alternative to live vulnerability testing (which is not feasible)

Modeling and analysis will reveal possible attack strategies of an insider

Modeling and risk analysis can help answer the following questions statically:How secure is the existing setup?Which points are most vulnerable?What are likely attack strategies?Where must security systems be placed?

What you cannot modelNon-cyber events – disclosures, memory dumps, etc.


Information-Centric Modeling University at Buffalo- CEISARE

Developed the concept of a Capability Acquisition Graph for insider threat assessment

Part of a DARPA initiativeBuilt a tool called ICMAP (Information-Centric Modeler

and Auditor Program)Publications in ACSAC 2004, IEEE DSN 2005, JCO 2005,

IEEE ICC 2006, IFIP 11.9 Digital Forensics Conference 2007

CURRICULUM: Computing, mathematical, legal, managerial and informatics

Various CAEs (certified by NSA, DHS), USMA, Syracuse, Buffalo, Stony Brook, Polytechnic, Pace, RIT


How is a model instance generated? Define the scope of the threat A step-by-step bottom up approach starting with

potential targets Who constructs the model instance?

A knowledgeable security analyst How are costs defined?

Cryptographic access control mechanisms have well-defined costs

Use attack templates, vulnerability reports, attacker’s privilege and the resources that need to be protected

Low, Medium and High – relative cost assignment

Practical Considerations

35

Three Key Issues and 5 Major IT Decisions1.The need to reduce IT

Confusion and Chaos2. Environment demands

Accountability3. Only most Productive

organisations will thrive


Calder- Moir IT Governance Framework

3737

CIO & CEOCIO & CEO Business Led Info. strategy Business Led Info. strategy

CIO & CMOCIO & CMO Competitive Edge & CVP Competitive Edge & CVP

CIO & CTOCIO & CTO Cost-Benefit Optimization Cost-Benefit Optimization

CIO & CFO Shareholder Value CIO & CFO Shareholder Value MaximizationMaximization

CIO & CHRO Employee Performance and CIO & CHRO Employee Performance and RewardsRewards

CIO & Business Partners Virtual Extended CIO & Business Partners Virtual Extended EnterpriseEnterprise

CXO Internal Strategic AlliancesCXO Internal Strategic Alliances

3838

Capital Productivity (ROI, EVA, MVA)

Material Productivity (60% of Cost)

Managerial Productivity (Information Worker)

Labour Productivity (Enabled by IW)

Company Productivity Micro

Factor Productivity Macro

The Productivity Promise

39

CEO-CTO-CIO-CSO Responsibility

"These systems should ensure that both business and technology managers are properly engaged in identifying compliance requirements and planning compliance initiatives which typically involve complementary adjustments in systems, practices, training and organization"

CXO & IT Governance the roles and

responsibilities for IT governance, highlighting the parts played by the CEO, business executives, CIO, IT steering committee, technology council, and IT architecture review board

40

Four Faces of a CIO &CIO Management Framework

41

For Visioning and Strategic Planning -For Visioning and Strategic Planning -

Scenarios & Simulations.Scenarios & Simulations.

World Class Project Management -World Class Project Management -

Hard and Soft.Hard and Soft.

Implementation andImplementation and

Operational ExcellenceOperational Excellence

DSS, EIS, CRM etc. for DSS, EIS, CRM etc. for

Optimization and Control.Optimization and Control.

Information As Competitive AdvantageInformation As Competitive Advantage

42

Learn more about own Businesses.Learn more about own Businesses.

Reach out to all Business & Function Reach out to all Business & Function Heads.Heads.

Sharpen Internal Consultancy Sharpen Internal Consultancy Competences.Competences.

Proactively Seize the Repertoire of MS & Proactively Seize the Repertoire of MS & PartnersPartners

Foster two way flow of IS & Line Talent.Foster two way flow of IS & Line Talent.

Way ForwardWay Forward

43

Process Governance1. Develop an Aligned

Strategic IT Plan: The step-by-step formatof this methodology willwalk you through ourproven process forcreating a strategic ITplan that is aligned withyour organization's businessobjectives

2. Create a Collaborative Decision-Making Process

As IT impacts morebusiness procedures, morestakeholders will becomeinvolved in the decisionmaking process. Thismethodology helps youdevelop a structured andefficient decision-makingforum.

4444

Process Governance3. Raise the Profile of IT:

By aligning IT planning with organizational goals, IT will become a key player in evaluating the business issues that factor into enterprise-wide decision making

4. Get the Green Light:Keep going

45

Measurement of IT Projects Value and Effectiveness

IT Assessment 1.Validity or Relevance

2.Protectibility 3.Quantifiability 4.Informativeness

5.Generality 6.Transferability 7. Reliability to other parts

of organization

Effectiveness Utility Efficiency Economy Control Security

Assessment of IT Functions

StrategyDeliveryTechnologyPeopleSystems


Standards, Standards, StandardsSecurityAuditInteroperabilityInterface

(systems/devises/comm.)

Architecture/Building Blocks/Reusable

HCI (Human Computer Interface)

ProcessEnvironmental

(Physical, Safety)Data Interchange

& mail messagingLayout/Imprint


47

Importance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL

MissionMission

Business ObjectivesBusiness Objectives

Business RisksBusiness Risks

Applicable RisksApplicable Risks

Internal ControlsInternal Controls

ReviewReview

10th september 2013Prof. KS@2013 Assocham conf GRC 2013

48

“IT Regulations and Policies-Compliance & Management”

Pre-requisites physical infrastructure and mind-setPAST: We have inherited a past, for which we cannot be held

responsible ; PRESENT: have fashioned the present on the basis of development

models, which have undergone many mid-course corrections

FUTURE: The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and challenges.

In a number of key areas, it is necessary Break from the past in order to achieve our Vision.

We have within ourselves the capacity to succeed

We have to embrace ICE for Innovation, Creativity, Management, Productivity & Governance

49

“IT Regulations and Policies-Compliance & Management” CREATIVITY VS COMMAND CONTROL

Too much Creativity results in anarchyToo much command & control Kills Creativity

We Need a Balancing Act In IT Regulations and Policies-Compliance & Management

50

Gouvernance & AssuranceGouvernance & Assurance Maturity ModelMaturity Model


Assurance in the PPP Environment

52

Governance - Final Message

“In Governance matters Past is no guarantee;

Present is imperfect &

Future is uncertain“

“Failure is not when we fall down, but when we fail to get up”

53

Learning From Experience========================

1. The only source of knowledge is experience. -- Einstein

2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try. -- Sophocles

3. Experience is a hard teacher because she gives the test first, and the lesson afterwards. -- Vernon Sanders Law

4. Nothing is a waste of time if you use the experience wisely. -- Rodin

54

“To determine how much is too much, so that we can implement appropriate security measures to build

adequate confidence and trust”

“To derive a powerful logic for implementing or not implementing a security measure”

Security/Risk Assurance - Expectations

THANK YOUFor Interaction:

Prof. K. [email protected]

[email protected]: 011-22723557

Let us Assure Good Cyber Governance & Business Assurance in Cyber Era

mailto:[email protected]

assocham conf grc sept 13

Business

assocham conf grc

technology leaders

business needsstakeholders

enabled business role

melissa viruses technology

technology john tudor

cyber era challenges

business function heads