How Much Security IsEnough?
March 22, 2007
University of British Columbia
1 Security Management
Agenda
Enterprise Information Security Framework– What are the challenges?
– What problem are we trying to solve?
– Overview of enterprise information security
– Creating an enterprise information security program in support ofrisk, legal and regulatory obligations
– Information security control frameworks
– Measuring maturity of the program
2 Security Management
The Challenges
3 Security Management
What are you trying to protect?
Loss of
Private Data
Loss of
Private Data
Intercepting
Transmissions
Intercepting
Transmissions
Repudiation
of Actions
Repudiation
of Actions
Destruction
of Data
Destruction
of Data
Denial of
Service
Denial of
Service
Manipulation
of Information
Manipulation
of Information
Loss of
Private Data
Loss of
Private DataLoss of
Private Data
Loss of
Private Data
Intercepting
Transmissions
Intercepting
Transmissions
Intercepting
Transmissions
Intercepting
Transmissions
Repudiation
of Actions
Repudiation
of ActionsRepudiation
of Actions
Repudiation
of Actions
Destruction
of Data
Destruction
of DataDestruction
of Data
Destruction
of Data
Denial of
Service
Denial of
ServiceDenial of
Service
Denial of
Service
Manipulation
of Information
Manipulation
of Information
Manipulation
of Information
Manipulation
of InformationASSETS
4 Security Management
Security challenges faced by organizations
Organizations are constantly challenged with information security issues withever increasing threat profiles. Faced with these challenges, organizationscontinue to ask themselves;– Are our Information security initiatives aligned with our business needs?– Are our customers’ and trading partners’ information security initiatives and
requirements compliant and compatible with ours?– Are our information security practices providing adequate assurance to meet
regulation or compliance requirements?– Are we perceived as a responsive organization meeting the needs of our
stakeholders, our customers, and trading partners?– Do our information security controls align with industry-related and internationally accepted guidelines?– Are we aware of our security risks and are they being effectively managed?– Are we measuring the effectiveness of our information security Investments?
Bottom Line…..Are We Secure?
ComplianceLiability
BusinessLiability
BrandErosion
Escalating Costs
ReducedEffectiveness
UnprotectedAssets
5 Security Management
Most EnterpriseSecurity
InitiativesFail Due to Lack
of Buy-In
Stumbling blocks arise when the security program is notaligned with business needs.
RootRootCausesCauses
Lack of demonstrated ROI Poor definition of success No real business alignment No long-term strategy to decrease the level
of overall security risk and exposure No framework within which to design and
deploy solutions for new problems Technically led, IT-based security projects Low prioritization of security as compared to
business initiatives Lack of appreciation for the importance of
security in today’s enterprise Immaturity of technology solutions
6 Security Management
Overview SecurityManagement
7 Security Management
A sound enterprise information security strategy shouldhave proper balance and integration with the securitygovernance, architecture and operations
A security strategyis supported bythree criticalcomponents …
Oper
atio
nsOp
erat
ions i
nteg
rate
s
the
strat
egy,
prog
ram
and
arch
itectu
re co
mpo
nent
s with
the
core
bus
iness
man
agem
ent
proc
esse
s
Architecture providestechnology standards,
models and technologies tobe leveraged by the business
Architecture
Governance
Governance
provides the organization
and security managem
ent processes
for maintaining adherence to the
strategy and architectureStrategyStrategy links security initiatives
with business and technologyobjectives
8 Security Management
What does the information security program look like? – Define theInformation Security Program Framework
Information Security Framework
Information Security Management
Information Security Drivers
Information Security
Architecture
Operations
Information Security Governance
Strategy
Requirements & Planning
Measurement & Assessment
Principles
Policies
Standards
Guidelines
Procedures
Audit
Enforcement
Risk
Management
Awareness &
Training
Business, Risk Tolerance, Legislation & Regulations
Monitoring &
Management
9 Security Management
Security Risk Management
10 Security Management
Security Risk Management
11 Security Management
Typical Risk ProfileC
on
seq
uen
ce
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
100%90%80%70%60%50%40%30%20%10%0%
Likelihood
Risk A
Risk C
Risk G
Risk F
Risk DRisk E
Risk B
Impac
t
Likelihood
12 Security Management
Information Security ControlFrameworks
13 Security Management
The Information Security Governance Framework isBuilt on the Corporate and IT Governance Framework
Security Governance is asub-component of overall ITand corporate governance
14 Security Management
Eleven Key Domains of ISO/IEC 17799:2005
Security Policy• Outlines BMO’s expectations for security• Demonstrates management support &
commitment
OrganizingInformationSecurity
• Management structurefor security
• Security responsibilities• Establish incident
response process
Asset Management• Inventory of BMO’s information
assets• Identify appropriate level of
security
Human ResourcesSecurity
• Security is a keycomponent of HR &operations
• Job descriptions &responsibilities
• Job screening
Physical &Environmental Security• Policy that protects infrastructure,
physical plant & employees• Building access; maintenance
Communications &Operations Management• Preventing security incidents
through preventative measures(A/V; logging & monitoring etc.)
• Incident response procedures
Access Control• Access control to the network &
application resources• Password management, authentication &
event logging
AcquisitionDevelopment
& Maintenance• Ensure security is an integral
part of any networkdeployment / expansion
Business ContinuityManagement• Planning for disasters• Recovering from disasters
(natural & man-made)
Compliance• Complying with any
applicable regulatory & legalrequirements
Security IncidentManagement
• Complying with any applicableregulatory & legal requirements
15 Security Management
Many Frameworks
• ISO-Information Security Guidelines (ISO-17799, ISO27xxx)
• Control Objectives for IT (CoBIT)
• IT Infrastructure Library (ITIL)
• Information Security Forum Standard of Good Practice (ISF)
• Systems Security Engineering - Capability Maturity Model (CMM)
• General Accepted Information Security Practices (GAISP)
• National Institute for Standardization of Technology (NIST)
• …..
Choose one framework that meet most of your needs andsupplement it with other frameworks as appropriate
16 Security Management
Measurement
17 Security Management
Information Security Governance Maturity Model
• The Maturity Model is sponsored by the IT Governance Institute.
• It is used to rank an organization’s practices and standards againstindustry best practices and standards from a maturity perspective.
• It can be used to help guide the organization to improve the overallinformation security posture.
• The long range plan should be to implement the policies, practicesand processes to arrive at a ranking of 5 – Optimized.
0 1 2 3 4 5
NON-EXISTENT OPTIMIZED
0 - Non-Existant - Management processes are not applied at all
1 - Initial - Processes are ad hoc and disorganized
2 - Repeatable - Processes follow a regular pattern
3 - Defined - Processes are documented and communicated
4 - Managed - Processes are monitored and measured
5 - Otimized - Best practices are followed and automated
Average in Manufacturing Industry (2.7)
Manufacturing Industry Best Practice (3.0)
Banking Industry Best Practice (5.0)
18 Security Management
Final Thoughts
19 Security Management
Practical Realities
• Senior management commitment is critical
… without it there is little acceptance and funding for the program
• The risk profile is unique for each organization (e.g. country,regulatory environment, industry, organizational culture and riskappetite) and continuously changes
… so is the security program
• Develop a business aligned security vision, strategy and roadmap
… this helps to communicate direction and set priorities
• Demonstrate value to your “customers” through enablement
… through enablement, service-orientation and small/quick wins
• Security is a broad domain and no-one knows it all
… leverage other resources to compliment your strengths