*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Transcription

1

2 Mark s Bio ISO Overview What is Information Security? Threats to Information Security Information Security Management System Program Planning Compliance Management Potential Impacts *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

3

4

5 Mark E.S. Bernard, CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO Lead Auditor, SABSA-F2 Information Security, Privacy, Governance,Risk Management, Compliance Consultant *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

6

7

8

9

10

11 Information Security Defined The protection of information and knowledge in all formats hardcopy, digital, visual, or audio while providing assurance that information is available to run our business and customers have their information when needed. Protection from unauthorized access /disclosure impacting confidentiality. Protection from corruption impacting the integrity. Protection from destruction impacting availability. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

12

13 examples of Information Assets; Personal, financial, legal, research and development, strategic and commercial, , voic , databases, personal and shared drives, backup tapes/cds/dvds and digital archives, encryption keys, Personal, financial, legal, research and development, strategic and commercial, mail/post, FAXes, microfiche and other backup/archival materials, keys to safes/offices and other media storage containers, Journals, magazines, books, records, policies, standards, operating procedures, Knowledge, business relationships, trade secrets, licenses, patents, trademarks, accumulated experience and general know-how, corporate image/brand/commercial reputation/customer confidence, competitive advantage, ethics, productivity *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

14

15 Link; CyberSecurity Intelligence Report June 2014; *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

16 Link; CyberSecurity Intelligence Report June 2014; *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

17 Link; What happened to Quality Management in Software Development? shared *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

18

19

20 Key takeaways from this research include: Cyber crimes are costly. We found that the average annualized cost of cyber crime for 234 organizations in our study is $7.2 million per year, with a range of $375,387 to $58 million. This represents an increase in cost of 30 percent from the consolidated global results of last year s cyber cost study. Cyber attacks have become common occurrences. The companies in our study experienced 343 successful attacks per week and 1.4 successful attacks per company per week.1 This represents an increase of 20 percent from last year s successful attack experience. Last year s study reported 262 successful attacks on average per week. The most costly cyber crimes are those caused by malicious insiders, denial of service and webbased attacks. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing and enterprise governance, risk management and compliance (GRC) solutions. Credits - October 2013 Ponemon Institute Research Report *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

21 Credits Cost of Data Breach Study: Global Analysis *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

22 Source: Credits Cost of Data Breach Study: Global Analysis *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

23 Credits Cost of Data Breach Study: Global Analysis *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

24 Link; CyberSecurity Intelligence Report June 2014; *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

25

26 Standards that improve ISO Integration and Maturity ISO 9000 Quality Management Systems - Fundamentals and vocabulary ISO 9001 Quality Management Systems - Requirements ISO Risk Management - Principles and guidelines ISO Governance - Corporate governance of information technology ISO Information Technology - Service management - Concepts & Terminology ISO Environmental Management systems - Requirements ISO Occupational Health and Safety BS Business Continuity

27 The demand for ISO/IEC has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December In 2006 the top three countries adopting ISO/IEC included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42 Percentage of IT Budget Spent on Security 237 respondents said that their budget was in excess of 18%, 8-10 of respondents said their budget was 16.5%, 6-7% of respondents said their budget was 5.5%, 3-5% of respondents said their budget was 17.7%, 1-2% of respondents said their budget was 15.6%, Less then 1% of respondents said their budget was 10.1% and 16% of respondents said they had no idea what their budget was. In contrast the percentage of Security Functions Outsourced 222 Respondents 64% said 'None' while 22% of respondents said up to 10% of their security functions were outsourced. In addition 5.9% of respondents said between 21-40% was Outsourced, 4.1% of respondents said between 41-60% was Outsourced, 2.3% of respondents said between 61-80% was Outsourced, and 1.8% of respondents said between % was Outsourced. Source; Computer Security Institute 2010/11 Survey *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

43 Month 1 Month 2 Month 3

44

45

46

47 BRITISH COLUMBIA Adult Guardianship Act Business Practices and Consumer Protection Act Company Act / Business Corporation Act Corporation Capital Tax Act Court Order Enforcement Act Credit Union Incorporation Act Election Act Electronic Transactions Act Employment Standards Act Environment Management Act Evidence Act Family Maintenance Enforcement Act Financial Information Act Financial Institutions Act Fraudulent Preference Act Freedom of Information and Protection of Privacy Act Human Rights Code Income Tax Act Insurance (Captive Company) Act Insurance (Vehicle) Act Interpretation Act Land Title Act Land Transfer Form Act Law and Equity Act Limitation Act Negligence Act Occupiers Liability Act Pension Benefits Standards Act Personal Information Protection Act Personal Property Security Act Power of Attorney Act Property Law Act Property Transfer Tax Act Public Guardian and Trustee Act Real Estate Services Act Representation Agreement Act Securities Act Securities (Forged Transfer) Act Social Service Tax Act Unclaimed Property Act Workers Compensation Act CANADA WIDE Bills of Exchange Act Canada Elections Act Canada Evidence Act Canada Pension Plan Competition Act Cooperative Credit Associations Act Copyright Act Criminal Code *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Criminal Code Employment Insurance Act Excise Tax Act Income Tax Act Interest Act Old Age Security Act Pension Benefits Standards Act, 1985 Personal Information Protection and Electronic Documents Act Proceeds of Crime (Money Laundering) and Terrorist Financing Act (we comply voluntarily) Trade-marks Act Bank Act Trust and Loan Companies Act Insurance Companies Act OTHER OSFI Guidelines Superintendent of Financial Institutions

48 Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH Act) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Payment Application Standard Sarbanes-Oxley Act (SOX) (now ISAE3402 /SSAE16) U.S. state data breach notification law International privacy or security laws *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

49

50

51 New Information Security Policy: Information security transcends technology impacting how we handle, view, store, copy, disclose, transmit information. The information security policy coveys the Enterprise s standard-of-care for the information assets entrusted to the Enterprise on behalf of their clients and partners. Policy Exceptions: In the unlikely event that a department cannot comply with the information security policy an exception will be created, signed by the department head and forwarded to Executives for either risk acceptance or rejection of which the latter requires immediate compliance. Existing Practices: Practices will be documented and may change to include key controls identified by external auditors, Internal Audit or through the Enterprise s Risk Management and Information Security Assessments. New practices and standards will be developed and documented in compliance with the information security policy, legislation, and agreements. Disciplinary practice will be developed for employees who are found in contravention of information security policies and will be coordinated through the employees manager and Human Resources. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

52 Data Classification: New practices and standards for areas handling Private, Confidential and Operational information assets will be developed and compliance monitored. For areas handling Private information these standards and practices will include restrictions to USB ports, IR ports, and DVD/CD Burners. Systems Development: Private information will not be disclosed during systems development to developers. However during testing, we will establish a QA room where only preauthorize developers and departmental personnel assigned to test may enter. No Private information will be allowed to leave the QA Room. Secure Architecture: Current infrastructure and its secure architecture will need to be documented and reviewed for control gaps. The introduction of information classification and more effective means of assessing infrastructure safeguards may lead to changes which could incur unplanned expense to segregate access to classified information assets. Governance: Reinforcement of accountabilities and responsibilities will occur throughout each step in the program. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

53 Security Oversight Committee: A committee will need to be created including representative from each of the Enterprise s departments to ensure that consensus is achieved and support for interdepartmental integration of information security policies and practices. New Employee Orientation will be mandatory before employees are granted access to the Enterprise s information assets. This practice will be coordinated through Human Resources, so carefully kept records of attendance may be maintained and periodically audited. Confidentiality Agreements will be mandatory and will be reviewed and updated annually. This practice will be coordinated through Human Resources so carefully kept records of attendance may be maintained and periodically audited. Third-Parties: Underpinning Contracts and Service Level Agreements will include provisions to enforce the Enterprise s information security policy and compliance with statutes, including CFO/CEO requirements. Contractors will be required to participate in employee orientation sessions and sign the appropriate agreements including nondisclosure agreements and confidentiality agreements. Contractors will not be left unsupervised when handling Private information. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

54 For more information contact /skype; *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***