360-degree security. Converged security takes a holistic approach to safeguarding your company

Transcription

1 S P E C I A L F O C U S S U P P L E M E N T 360-degree security Converged security takes a holistic approach to safeguarding your company Ask what computer security means and many people respond with the same basic ideas: good backups, a firewall, encryption and antivirus protection. However, experts argue true security should involve all areas of the business, from the server room to the boardroom. Technology alone is never enough to safeguard an organization. Understanding how processes operate within the company is crucial. This notion, called converged security, includes an understanding of physical as well as logical security. It involves educating people on security best practices and making it harder for intruders to infiltrate the company using social engineering. It even extends down to minute technical areas of your operation, including something as innocuous as a document scanner in a branch office. One concern around network attached scanners, for example, is that a copy of a scanned image may be retained on the device s hard drive, said Steve Oblin, imaging product marketing manager at Fujitsu. The experts in this security supplement provide unique perspectives on the multifaceted challenges facing modern organizations which want to protect themselves as much as possible from risk. The final lesson is perhaps the hardest: no organization can count itself as entirely secure. Instead, methodological risk analysis and mitigation procedures can reduce risk to an acceptable degree, but doing this effectively requires an understanding of the company in question and the sector in which it operates, with all the regulatory and legal requirements therein. An individual security measure is never enough the trick is ensuring that many such measures work together to seal an organization as much as possible against attack. To view this supplement online go to: 10 CRITICAL QUESTIONS YOU SHOULD BE ASKING YOUR ORGANIZATION 1. Who are the outsourcing organizations we contract with and where are they located? 2. Precisely what data are we sending to, and receiving from, those outside our organization? 3. Is the data personal information, and have we given notice to our customers of this data transfer? 4. What are our exposures if the data (both sent and received) is improperly accessed, used or maintained? 5. What data protection clauses do we have in these contracts? 6. What evidence do we have that these outsourcing organizations protect our data as outlined in these data protection clauses? 7. What processes are in place to monitor the outsourcing organizations? 8. Do these organizations outsource any of their processes in which our data may be further transferred to another organization? 9. What processes do the outsourcing organizations we contract with use to verify the data protection practices followed by their outsourcing partners? 10. What are the applicable laws, regulations and compliance mandates that our organizations should be managing against? Rebecca Whitenern, EDS Yvon Audette, KPMG Kevin Murray, Symantec Steve Oblin Fujitsu 2006 KPMG LLP

2 S P E C I A L F O C U S S U P P L E M E N T Beyond PC security Symantec widens security focus from desktop computers to all user devices A quarter of a century is a long time in computing. Today s personal computing devices bear little resemblance to the PC that IBM launched in The evolution of the Windows operating system, the introduction of mobile computing and smaller form-factor devices are among the developments that have made security an increasingly complex task. Rather than desktop computer security, Symantec Corp. now talks about endpoint security, to accommodate the plethora of different devices that may connect to a network. It is Symantec s job to simplify endpoint security for IT managers, enabling them to walk the fine line between flexibility for employees and security for the organization. We recently launched Symantec Endpoint Protection 11.0 and Symantec Network Access Control 11.0, designed to both protect the endpoint from infection and the network from infected computers. Endpoint Protection 11.0 uses a single software agent designed to protect endpoint devices from an array of threats. After ensuring that we had all the right technologies in our portfolio, we redesigned the integration of those technologies into a single endpoint agent, explains Kevin Murray, Senior Director for Endpoint Security at Symantec. Consolidating all of those technologies into a single software agent consumes less memory while the product operates, Murray adds. Other products can use as much as 130MB of memory to secure an endpoint, but Symantec s solution now uses about 20 per cent of that. Customers have been reporting up to a 75 per cent reduction in the time spent managing endpoint security as a result of using this simplified but comprehensive product, according to Total Operational and Economic Impact Analysis by The Alchemy Solutions Group, October Endpoint Protection 11.0 encapsulates established security functions, including antivirus, anti-spyware, firewall and intrusion prevention, but also includes a new feature: application control. Application control enables customers to manage and enforce applications in the computing environment, preventing the use of unauthorized software, explains Murray. Application control makes the computing environment more secure, because locking down applications prevents users from installing software with their own security vulnerabilities. IT managers can now prevent users from installing inherently insecure applications, such as peer-to-peer file sharers on their PCs, for example. One customer told us that they have seen a 50 per cent reduction in helpdesk calls as a result of implementing this technology, Murray says, again citing the Alchemy Solutions Group report. Endpoint Protection 11.0 protects client devices from malicious network activity and from naïve users, but what if an infected endpoint without such protection manages to connect with the network? Even the most secure network will be vulnerable to infection from mobile devices that have been exposed to the public Internet. If, for example, employees or freelance contractors use their computer on a public Wi-Fi hotspot they could have become infected by malicious code. When they connect that computer to the network inside the corporate firewall, that malware could easily take down the entire infrastructure. Symantec s Network Access Control 11.0 protects the network from compromised endpoints. Symantec Network Access Control determines the configuration of the system before it is granted access to the network, explains Murray. Software within the network analyzes an endpoint device when it connects to evaluate compliance with the company s security policy. For example, it may restrict network access until an endpoint device s operating system has been fully updated with the latest security patches and its antivirus software has been loaded with the most recent antivirus updates. Because security is in everyone s best interest, Symantec has made the deployment of these technologies as easy as possible. The latest versions of its software are available under its entitlement program, which provides existing customers with upgrades and maintenance releases for its products. Because we have consolidated all of these technologies into a single agent, many customers will now receive more protection than they originally purchased, Murray explains. Customers that previously purchased its Symantec AntiVirus Corporate Edition, Symantec Client Security, Sygate Enterprise Protection, and its behavioural analysis product Confidence Online, are now protected by a broader array of security functions. The entitlement program is very generous and it maps across the entire Endpoint Security line of business. Symantec has taken this bold step because security should map across an entire business. An organization s security is only as good as its weakest point. Protecting your network and the devices that attach to it will go a long way towards avoiding the types of security breach that can easily land a company on the front page. For further information: call BUY-SYMC or visit Symantec.com/endpointsecurity

3

4 S P E C I A L F O C U S S U P P L E M E N T Payment Card Compliance: is your organization ready? Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all entities that handle credit card data to help reduce fraud and identity theft. This standard is critical to minimizing risk and maximizing credit card data protection. Many merchants and service providers are struggling to bring their credit card processing environment in compliance with the PCI Data Security standard. The key to this is planning and preparation: proper prior preparation prevents poor performance. PCI DSS compliance is a demanding task and companies must carefully prepare and plan for it. Organizations must first seek to understand their cardholder processing environment before any planning activity. Completing a Self-Assessment Questionnaire (SAQ) and performing a preliminary gap analysis to assess your readiness are two critical steps to understanding your environment. With a good understanding of your environment, you should now have an idea of where you are. Now you can start planning on how to get to where you need to be. What you need to know Find out what you need to do to demonstrate compliance: On-site audit, selfassessment questionnaire or quarterly scans? Get senior management buy-in: Compliance with PCI DSS is a business risk issue. Get senior management support before you embark on this journey as you will need a lot of resources to achieve compliance: money, people and time. Involve multiple departments: PCI compliance is not just an IT or corporate security initiative. Involve HR, operations, finance, accounting and others. Leverage other compliance programs: The work required by PCI DSS may already be done. Make sure you align your PCI compliance efforts with other compliance efforts going on in your organization. Review third-party agreements: Make sure third-party and all connected-entity agreements contain language that they must be PCI compliant, if necessary. Segment your network: Although internal network segmentation is not a requirement of PCI DSS, it can significantly reduce the scope of your PCI assessment, and therefore the cost and effort required. A flat network design puts your whole organization in scope of the PCI assessment. Review your network diagram and have your cardholder processing environment adequately segmented from the rest of your network, if required. Information security management system: To comply with PCI DSS you must have a comprehensive set of security policies in place. Take advantage of compensating controls: If you will not be able to meet certain PCI requirements the way they are written, you can use alternate controls to compensate for the gaps. The compensating control must be above and beyond other PCI requirements and must also meet the intent and rigour of the original PCI requirement. Vulnerability assessment: This will help identify vulnerabilities you may have on your network and to start the remediation efforts ahead of time. Retain only necessary data: If you don t need it, don t store it. Eliminating sensitive cardholder data from your environment does two things for you: it immediately removes your risk and it reduces the scope of your PCI assessment. You do not need to keep sensitive cardholder data post authorization. Get documentation ready for assessors: Make sure you have well documented policies and procedures, third-party agreements, configuration standards, technical documentation and network diagrams ready for the assessors. Make sure they are well organized, clear and up-to-date. Get clarification from the PCI Council or your acquirer: If you need help with the interpretation of any of the PCI requirement, send an to the PCI Council at info@pcisecuritystandards.org. Your acquirer can help answer questions relating to your merchant or service provider level and compliance validation. Finally, be ready to prove that you have exercised due care. Companies should focus on building good security into their network, rather than the PCI compliance itself. Mostly, the PCI Data Security Standard is all about best practices and a set of controls that organizations should have always had in place. With this approach, demonstrating your PCI compliance becomes easier as all you now have to do is document your security controls and be ready to prove you have put in your best effort and done your due diligence. Ola Olafunmiloye is a Managing Consultant with Allstream, Security Practice in Canada. Ola is a CISSP, CISA and PCI Qualified Security Assessor (QSA) and specializes in assisting merchants and service providers apply the PCI Data Security Standard to their cardholder processing environment. Allstream is a Qualified Security Assessor (QSA) and provides PCI DSS readiness reviews, assessments and remediation services. For more information visit us online at or call

5 IT S ABOUT SECURING YOUR BUSINESS ASSETS Information is one of your company s most important assets and more vulnerable than ever before. You need to ensure that your company s information is accessible to the right people, protected against unauthorized use, and compliant with regulatory and legislative measures. Allstream s proven methodologies and team of highly experienced, industry-certified and accredited technical professionals enable you to meet these security challenges head on. We can help you identify the general risks you may be vulnerable to and the risks that are unique to your company. With innovative solutions tailored to your unique needs, we help you build a trusted, secure environment that gives you confidence and peace of mind. Employing an experienced and dedicated workforce, powerful technology, national presence and global connectivity, our world-class suite of telecom services and solutions help you improve productivity, lower costs, and protect your information assets. Thousands of companies have already benefited from the Allstream difference. Call us today to find out how our solutions can help your business. For more information, call or visit Manitoba Telecom Services Inc., used under license. IP CONNECTIVITY UNIFIED COMMUNICATIONS SECURITY IT CONSULTING

6 S P E C I A L F O C U S S U P P L E M E N T Information management: protect yourself and your customers KPMG delivers seven-phase lifecycle management process KPMG research with Fortune 1000 revealed key Privacy related concerns: Reputation damage 64% Customer loss 44% Litigation and class action 34% Compliance failure 32% 87% expect privacy issues to grow in scope and scale 55% expect high profile lawsuits But only 52% have implemented a program!! 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 9atl 2830 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. Many companies today understand that information is an asset, but how many of them realize that badly managed information can also be a liability? Today, regulatory frameworks strictly control information governance and companies that do not manage data at all stages of its life cycle risk information leaks. Retention is one area in which companies find themselves balancing different needs. They must retain and correctly manage the information necessary to run their business. However, they must also limit the level of information that they store, to minimize the risk of that data falling into the wrong hands. But in other cases, the inappropriate destruction of a record and the lack of filing and retention policies may negatively affect an organization, explains Yvon Audette, a partner within KPMG Canada s IT Advisory Services group. Consequently, information lifecycle management (ILM) is becoming a pivotal concept for companies which want to protect themselves and their customers. KPMG outlines seven phases within the information lifecycle, from its initial generation and use through to its archiving and eventual destruction. Each of these phases carries its own considerations, explains Humbert Low, senior manager and security and privacy service line leader within KPMG. You must understand the technology components that need to be in place when you are moving information around, he explains. What is encrypted? What is the handling procedure around off-site tape operations, for example? KPMG brings a rich portfolio of security practices to the table when tackling ILM challenges. It can assess different threats to corporate information with the help of vulnerability and penetration testing procedures, and can also audit security operations to identify areas of potential improvement. In particular, KPMG s identity management services are helping organizations understand what is involved in properly developing the transformation projects needed to move forward with an ILM solution, says Audette, who emphasizes that managing the information lifecycle presents both technical and organizational challenges. Companies must understand which technical systems need access to information at different points in its lifecycle and must analyze them in a business context, particularly if they want to reap the business benefits that an ILM solution can deliver. They must understand how people, processes and technology come together to gain the benefits that can arise from such a solution, explains Audette. As an advisory organization, the strategy development part is really where KPMG can add value for clients. For further information visit us online at

7 2007 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. KPMG s IT Advisory... Keeps you current... More than ever, today s information technology professionals need to stay abreast of change in the worlds of business and in IT.To help you keep up with the latest issues, trends and challenges, KPMG s IT Advisory practice is pleased to announce a monthly podcast program The Balance: Managing IT in a Changing World. The series focuses on current issues and hot topics, including driving IT transformation, achieving business results from your ERP investment, global privacy, sourcing, and identity and access management. The first in this series deals with issues around Global Privacy, Information Protection, and Governance, and how using lifecycle management practices will help you to achieve sustained compliance and enhanced operational efficiencies. For more information, as well as to subscribe to this exciting new series and receive upcoming episodes automatically, please go to For further information on KPMG s IT Advisory services, please contact: Yvon Audette IT Advisory yaudette@kpmg.ca Humbert Low IT Advisory hlow@kpmg.ca

8 Strategic and operational business continuity Step one: have a good plan. Step two: be ready to execute it Many companies equate business continuity with simple data backup, but true continuity involves a more holistic understanding of what it takes to keep the company s business running, explains Rebecca Whitener, vice-president for EDS Enterprise Risk Management and chief risk officer at the company. The reality is that to have an effective plan, you have to take into account everything from business, through to strategy, culture and technology. An effective business continuity strategy involves expertise both at the strategic level, so that contingencies can be effectively planned, and at the operational one, so that they can be executed quickly and accurately. One of the first steps in the planning process involves identifying the risks to specific applications, along with their probability and scope. The resulting risk impact matrix can then be used as a platform to identify and create contingency measures. The strategic planning team must have a unique mixture of skills, taking in everything from regulatory expertise to sector-specific knowledge. Having an understanding of the industry that the client is working in is important, along with the issues that might surround specific scenarios, Whitener says. Our team would understand how a pandemic flu would affect the client s workforce, for example. Having contingencies to cope with issues such as workforce placement forms part of that expertise. A crucial part of this process involves working with numerous third-party stakeholders. EDS team of technical business continuity experts can not only plan the necessary technical solutions but can also work with participants outside the client s domain to ensure that all parties work in unison in the event of a disaster. This can include not only equipment suppliers but also utility companies, for example. This ability to work with multiple parties is crucial. Very few companies use products from a single technology vendor, and so business continuity planners must be comfortable dealing with many different suppliers. It s not about who s got turf, Whitener says. Our clients work with anybody, and so we need to work with everybody. We have a track record doing this. For further information visit us online at

9 S P E C I A L F O C U S S U P P L E M E N T It s the business equivalent to leaving the burner on. Not having a business continuity plan can send your business up in smoke. Protecting it requires more than disaster recovery. Geminare inexpensively protects small and medium-size businesses from technology failures by creating replicas of your key servers at our world-class data center that mirror your data in real-time so you can run directly from the data center within seconds. Geminare eliminates doubt. For a Geminare Partner call or visit It s the business equivalent to leaving the iron on. Not having a business continuity plan can send your business up in smoke. Protecting it requires more than disaster recovery. Geminare inexpensively protects small and medium-size businesses from technology failures by creating replicas of your key servers at our world-class data center that mirror your data in real-time so you can run directly from the data center within seconds. Geminare eliminates doubt. For a Geminare Partner call or visit