surviving a security audit - aventri€¦ · u.s. gdp growth for the first quarter was revised...
TRANSCRIPT
Surviving a Security Audit
Janet L. BondsAVP Technology and Controls
www.inginvestment.com
What’s in the Survival Kit: Agenda
ING Investment ManagementCompliance: The rules, they are a changin’Strategies: So Many Rules, So Little TimeImplementing Solutions: hChange ManagementhSecurity
Creating a Culture of Compliance
Add Your Logo here Do not use master
ING Investment Management
ING Investment Management is a leading global asset manager. Manage approximately €343 billion of assets for institutions and individual investors worldwide.Principal asset manager of ING Group, the global financial services company.hOver 3,300 employees hAn investment presence in 33 countries across the Americas, Asia-Pacific,
Europe and the Middle EasthProvides clients with access to domestic, regional and global investments.
www.inginvestmentmanagement.com
Add Your Logo here Do not use master
Investment Capabilities Our investment mission: Find unrecognized value ahead of consensus.
Investment Capabilities
Awesome Research & Analysis….
News: May 28, 2010After a choppy start to the week, global markets got some relief on reassurances from China that it didn’t intend to sell its European debt holdings. China’s vote of confidence also inspired some strength in the euro, allowing the currency to rebound from a near four-year low versus the dollar. However, both U.S. markets and the euro lost momentum on Friday on a downgrade of Spanish debt.U.S. GDP growth for the first quarter was revised modestly downward, as spending on IT equipment and software was slower than originally thought. The revised data do not alter our belief that the U.S. business cycle is shifting from initial recovery to a more sustainable expansion
Source: ING IM, FactSet, Bloomberg
Add Your Logo here Do not use master
Information Security Threats
Every time [some software engineer] says, “Nobody will go to the trouble of
doing that,” there’s some kid in Finland who will go to the trouble.
- Alex Mayfield
Compliance: The rules, they are a changin’
Rules are put in place to keep bad things from happening…
Then, another bad thing happensMore rules…
Compliance: The rules, they are a changin’Laws and Regulations
Sarbanes-OxleyhRequires a risk-based approach to both business and IT processeshAnnual testing and certification
JSOX in JapanLoi de Sécurité Financière in France Bill 198 / CSA 52-313 in Canada
Add Your Logo here Do not use master
Compliance: The rules, they are a changin’Laws and Regulations
BASEL IIhBasel II is an international standard used by banking regulators to determine how
much capital banks need to put aside to guard against the types of financial and operational risks.
Solvency IIhSolvency II creates EU-wide requirements for all companies to have a risk-based
approach towards determining capital adequacy to reduce the likelihood of failure.
Add Your Logo here Do not use master
Compliance: The rules, they are a changin’Laws and Regulations
SEChRequires maintaining records of trades and communication about registrants.
Anti-Money Laundering (AML)hFinancial companies around the globe are required to monitor, investigate and
report transactions of a suspicious nature.hRequires reporting to the central bank in the country where the money laundering is
under suspected
States: California, Massachusetts…more to follow
Add Your Logo here Do not use master
Compliance: The rules, they are a changin’Laws and Regulations
PCI DSS or the Payment Card Industry Data Security Standard hDesigned to prevent credit card fraud, hacking and various other security
vulnerabilities and threats.hAimed at financial institutions, Internet vendors and retail merchants hDeveloped by the credit card companies
Add Your Logo here Do not use master
Compliance: The rules, they are a changin’
“The young man knows the rules but the old man knows
the exceptions.”- Oliver Wendell Holmes
Add Your Logo here Do not use master
Strategy….is all about balancing risk and controls
Too Many Controls?
Strategy: So Many Rules, So Little Time
Develop a strategy for individual rule compliancehNot sustainablehCostlyhMaintain individual rules
Develop a strategy for overall compliancehPotential for leaving holes, depending on the auditorhLess costly, more efficient
Add Your Logo here Do not use master
Strategy: So Many Rules, So Little Time
Documented the ideal stateDocumented ING IM’s processesIdentified gapsAcknowledge and accept risk
Strategy: So Many Rules, So Little Time
« If everything is in control, you don’t go fast enough» --Mario Andretti
Implementing Solutions: Change Management
About ING IM’s environmenthDevelopers have access through an emergency secondary IDhPrimarily vendor/purchased applicationshThree environments, not four
ControlshCyberArk Vault stores IDs and Passwordsh InfrahProprietary system that forces the creation of a ticket when ID is checked outhSystematic process to determine when and what code is changed to ensure it
is tied to a ticket
Implementing Solutions: Security
Access to Programs and DatahAUTHENTICATION and ACCESS
– Ensure user identification and passwords are maintained– Define responsibilities for maintaining identification and passwords– Create password standards
hPERIODIC REVIEWS and ROLE-BASED ACCESS– Create and maintaining role-based access– Define roles within applications and across applications– Control identification, authentication, and access– Review roles– Review access
Implementing Solutions: Security
Access to Programs and DatahGRANTING and REVOKING ACCESS
– Requesting and granting access– Types of accounts that can be granted– Control over generic and service IDs– Revoking access– HR exiting process– Account inactivity process
hTools:– ARS– Proprietary review
application (RBAC)
– Proprietary application to remove users with inactivity over 60 to 90 days
Implementing Solutions: Security
Secure configuration of the infrastructure (0perating systems, database systems, and network components)
hREVIEW OF THE OPERATING SECURITY GUIDELINES’ IMPLEMENTATION– Reviews of the Guidelines– Performing the Review– Confirmation of Implementation
hTools:– SMS– nCircle Compliance Monitor
Implementing Solutions: Security
Security MonitoringhMonitoring Electronic Communication
– Symantec IM Manager (SIM) – logs instant messaging traffic. SIM is interoperable with AOL, MSN and Yahoo Instant Messaging systems, as well as with the internal Microsoft LCS IM system and logs all instant messenger conversations in ING IM’s KVS Vault for archiving and Compliance review. Usage requires approval from Compliance.
– KVS Vault – logs e-mail traffic that traverses ING IM’s e-mail infrastructure.– Websense – blocks usage of Webmail. Exceptions to these blocks requires approval
from Compliance.– MetaMessage – logs the usage of Blackberry PIN and SMS.
Implementing Solutions: Security
Security MonitoringhMonitoring and assessing database activities
– IIM uses Guardium monitoring and reporting capabilities to capture
– failed logon attempts, – direct access modifications, – failed executions; – developer activity by primary and secondary ID, and – suspicious production activity such as the execution of DDL and DML statements.
hMonitoring and assessing network file-level activities– IIM utilizes nCircle Configuration Compliance Manager (formerly Cambia CM). – Identifies any asset within the IIM network– Monitors file changes, updates and removals in the production environment
Implementing Solutions: Security
Security MonitoringheSentire provides comprehensive security consulting and security
monitoring services designed to keep IIM’s infrastructure secure and runningheSentire's provides:
– Vulnerability assessments, – Managed security monitoring, and – Incident notification/response.
h IIM utilizes three of eSentire’s services– Element– Cyclops:– Sniper
Implementing Solutions: DB to Track System Information
Capture risk ratings for all applicationshConfidentiality, integrity, and availability
Record all gaps in securityRecord acknowledgement of individual system risks and overall process risksOperations security guidelineshSystem configurationshWhat and how to monitor
Vendor evaluations
Creating a Culture of Compliance
The 5 Stages of Compliance Maturity:Stage 1: Compliance by HarassmentStage 2: Compliance by FearStage 3: Compliance by ConfusionStage 4: Compliance by AwarenessStage 5: Compliance by Culture
Add Your Logo here Do not use master
Stage 1: Compliance by Harassment
Individual: “Ok, Fine. I’ll do it, just leave me alone…”Management : “What do you mean? We have to do “what’? Have you done that yet?”Perception of Regulations: “This is the dumbest thing. When will those regulators get a clue!”Indication of: DenialHow to help the organization move to the next stage:
– Meet with individuals assisting with the audit, not just management– Discuss the purpose of compliance and role of security
– Discuss what could go wrong
Stage 2: Compliance by Fear
Individual: “I’ll do whatever you ask, just don’t hurt me…”Management : “Who do I need to fire?”Perception of Regulations: “Who authorized that, and that, and
that, and that, and that...” “I wonder who did something wrong….”Indication of: Panic if it isn’t done rightHow to help the organization move to the next stage:
– Discuss past issues– Discuss current issues– Make yourself available for questions
Stage 3: Compliance by Confusion
Individual: “I’m going to file a change control for EVERYTHING!” If at first you don’t pass the audit, document, document, document…..”Management: “Are you sure ‘red’ is the right color for your database? Is it the right color of red; it might be too pink? Did you run this by audit?”Perception of Regulations : “Really, I’ve got to document that too…Don’t they know how to work the system… We will never need that documented.Yeah, you might need to document it under certain circumstances that could lead to the possibility of increased risk. EXCEPTION!”Indication of: ParanoiaHow to help the customer move to the next stage:h Explain the risks to the business, customersh Explain the risks, explain the risks, explain the risks…
29
Stage 4: Compliance by Awareness
Individual: “This might be important, I should ask.”Management : “What’s the risk to the business?”Perception of Regulations : “These rules just might be important. Maybe they do know what they are talking about.”Indication of: Willingness to learnHow to help the organization move to the next stage:hWork with the customer to find out if they really understand risk
assessment methodologies.– How to categorize risks– How to prioritize risks– How to monitor risks
30
Stage 5: Compliance by CultureIndividual: “Our process says we should document, so I will.”Management: “These are risks to our business, make sure you audit these areas. There is value in compliance.”Perception of regulation : “Doing great so far, but you can improve
some processes in this way…Become best in class.”Indication of: Desire to improve
How to help the organization to move to the next stage:h Encourage the business to convert risk driven controls towards more
automated preventative control implementations.
Conclusion
By acknowledging and accepting risk, the company is stating that they are aware of the risk… and are willing to take the risk.
If you know the enemy and know yourself you need not fear the results of a hundred
battles.- Sun Tzu
Add Your Logo here Do not use master
Thank You
Janet L BondsAVP, Security and Controls