does it security matter v 2

7/29/2019 Does IT Security Matter v 2

1/21

Does IT Security Matter?

Dr. Luke OConnor

Group IT Risk

Zurich Financial Services, Switzerland

Faculty of Information Technology, QUT

November 27th, 2007


2/21

2

Outline

A bit about Zurich and myself

Nicholas Carr and knowing your neighbours

Security Tectonics

The Explanation is Mightier than the Action

Risk and the New Math

Final Grains of Wisdom


3/21

3

Introduction to Zurich

Offices in North America and Europe as well as in Asia

Pacific, Latin America and other markets

Servicing capabilities to manage programs with risk

exposure in more

than 170 countries

Approximately 58,000 employees worldwide

Insurer of the majority of Fortunes Global 100

companies

Net income attributable to shareholders of USD 4.5

billionin 2006

Business operating profit of USD 5.9 billion in 2006


4/21

4

My Background

Industrial Research (6 yr)

What people might want

Consulting (5 yr)

What people say they want

In house (2 yr)

What people expect

(Security) (Risk)


5/21

5

Service ProvidersZurich Business

G-IT Risk stakeholders

GITR

GSM

Investigations

Project risk management

Capabilities

Finance

GITAG

Process/QM

Sourcing

Audit

Compliance

Legal

Risk

Group functions

G-IT support functionsIndustry Bodies &

Suppliers

GITR Partner Focus

G-ISP

Consume

information and

Services

External functions

Business A

Supplier ABusiness B

Business C

Business x

Account Exec A

Account Exec B

Account Exec C

Account Exec x

Supplier B

Supplier x

Co-operate

Service risk management

Primary interface for G-IT


6/21

6

Does IT Matter?

Carr, N, IT Doesnt Matter, Harvard Business Review, Vol 81, 5, May 2003Carr, N, Does IT Matter?, 2004

IT doesnt matter and cant bring strategicadvantage at present!

Spend less Follow, don't lead Focus on vulnerabilities, not on opportunities

IT management should become boring

Manage risks and costs


7/21

7

Good Neighbours, but Good Friends?

Business

IT

Department

IT

Security

Business see IT as

something technical

IT Departments see

IT Security as

something technical

There is a dependency but

not a strategic relationship

There is a dependency but

not a strategic relationship


8/21

8

The Continental Drift of C, I, ACIA better known to business as Call in Accenture

Security

Confidentiality Integrity Availability

SSL

VPN

SSL VPN

Database Encryption

Hard Disk Encryption

Data In Flight

Data at Rest

Data Retention

Data Leakage

Data Breach

Data Privacy

Cross Border Data Flow

Hashing & Checksums

Digital Signatures

Authentication

Access Control

Logging

One person, one ID

Rapid and flexible

provisioning and

deprovisioning of rights

Role Based Access Control

Anti-Virus

Firewalls

Anti-Spyware

DOS

ID Management

Financial Process Integrity

Backup & Restore

RAID, Clustering Hot Swapping

Incident Response

Business Continuity

Disaster Recovery

TECHNICAL

CONCEPTUAL

ARCHITECTURAL

PROCESS

BUSINESS


9/21

9

The Explanation is Mightier Than the Action


10/21

10

Security Bingo


11/21

11

Notable Security Setbacks

Regulatory Frameworks over Security Frameworks (SOX over 7799)

Excel over FUD (Fear, Uncertainty and Doubt)

Reactive over Proactive

SLAs over Security Program

Commerical over Military


12/21

12

The New-ish Security ModelFrom Castle to Airport

Castle Airport

Security mechanisms are static and difficult to

change.

Security mechanisms are dynamic and responsive to

threats.

Reliance on a few mechanisms. Castle walls are

impregnable. Once inside security mechanisms are

minimal.

Uses multiple overlapping technologies for defencein depth.

Known community have unrestricted access within

security boundary.

Security must be maintained whilst an unknown

population traverse. Security of inclusion (ensuring

the right people have access to the right resources)

and Security of exclusion (ensuring that assets are

protected). Use of roles to determine security

requirements.

Silo mentality in organisation. Requires an open, co-ordinated, global approach to

security.


13/21

13

The next Big Thing: Network Access Control (NAC)How do you sell this to your IT Department or Business?

Remote Access DMZ

Quarantine

Network

Trusted Network

Firewall

ClusterFirewall

Cluster

VPN

Concentrator

Trusted VLANs

Access to a restricted

set of web applications

based on user role

Access to a restricted VLAN

based on user role

IDS Sensor

Network Access

Control Server

Platform

Configuration

Server

Quarantine

Server

DMZ Network

AAA Server

IDS Sensor


14/21

14

From Security .

Objectives Controls Testing Report

ISO 17799

ISF Cobit

NIST

Your Policies

and Standards

etc

ISO 17799

ISF Cobit

NIST

Your Service

Catalogue

etc

Documentation

Questionnaires Interviews

Demonstrations

Inspections

Tooling

3rd Party Analysis

Control

Effectiveness Compliance

Risk

Mitigation

Priorities

Perceived Desired Reality The Plan


15/21

15

to Risk

Description Trigger Consequence

What could happen? How could it happen? What is the impact?

Probability Severity

How often? How bad?
http://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Imprisoned.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Safetynet.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Problem.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Hot_Water.GIFhttp://www.dpw.wau.nl/pv/temp/clipart/screenbeans/gif/Medrisco.GIF


16/21

16

Controls as Risk (as is)

Control C2Needs Improvement

Not Effective

Effective

Control

Objective

Risk?

Risk?

Risk?

Control Assessment

Risk Scenarios are

reformulations

of control deficiencies (gaps)

Control C4

Control C3

Control C1

e.g. CoBIT,

C

2C

3

C

4

C

1

NO !

Control

Gaps are

potential

triggers of

Risk


17/21

17

IT Risk Components

IT Risk Components

IT Projects Risk

Financial & Resources Compliance & Audit

Contract & Supplier Mgmt

IT Architecture & Strategy

IT Project Management Risks

Facilities & Environment

IT Operations & Support

Time to DeliverIT Security

IT Services Risk

Service Level Management

Capacity Planning

Contingency Planning

Availability Management

Cost Management

Configuration Management

Problem Management

Change Management Help Desk

Software Control & Distribution

IT Security


18/21

18

Zurichs IT Risk Management Framework

Below threshold

Above threshold

The ABC (Assessment of

Business Criticality) risk

analysis prioritizes

resources

Object to be

assessed

ABC1

Optimised risk analysis

for projects

Project

Project Risk Tool

Risk assessment

Within PMO process

2

Risk register provides

single global data

store for analysis

reporting Group IT - RiskRegister (Central)

4

Project Risk Consulting Services Risk Consulting

IT Security Risk Assessments

Service

Service Risk Tool

Facilitated Assessments

and Self-Assessments

3Optimised risk analysis

for services

Group ITRisk Reporting

DashboardActions

monitoringQRR5

Reporting,

Escalation andAction Monitoring

1

2 3

4

5

No further Analysis

Apply Policies

and Standards


19/21

19

Relation to Operational Risk

IT Project Risk

Assessments

IT Service Risk

Assessment s

opRisk QRA opRisk KRIs opRisk LEDCollection

IT Risk Incident

Management

opRisk M odeling and

QuantificationCommon Risk Repository

opRisk

Reporting

IT Risk

Reporting

Comm

onITInfrastructure

Other Sources:

ICF, TRP, ...

Awareness,

Well Informed Decision M aking,

Incentives, Performance Measurement

Capital Allocation

opRisk

Process

IT Risk

Process

Joint

Effort

Data

Flow

Input

Other

Process


20/21

20

Conclusion: Does IT Security Matter?

IT Security in general is not an end in itself

IT Security is one area competing for attention and funding, amongst many

If you dont make IT security matter, it wont

Keeping business secure is the main end

Focus on securing business processes not the process of securing

Excel is your new best friend

Make your spreadsheets work with their spreadsheets

A risk-based approach is the opportunity to speak business language

Dont replace FUD with GIGO (garbage in, garbage out)


21/21

21

Over to you

does it security matter v 2

Documents