Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard CISA, CISSP October 3, 2002 1
Securing your Corporate Infrastructure Management Dilemma or Technical Problem Security Awareness Confidentiality Layered Defense HIPAA Physical Security Corporate Governance Privacy Digital Signatures Integrity Tokens Security Program Wireless Authentication Security Organization GLB Policies & Procedures Availability Access Controls ISO 17799 VPN DMZ Accountability Worms Cyber Terrorism Risk Assessment Anti-Virus Denial of Service PKI Device Hardening Internal Controls Litigation Hacker Firewall Vulnerability Testing Non-Repudiation Intrusion Detection Web Security 2
Securing your Corporate Infrastructure Security is Complex! Many technical elements External requirements and regulations Traditional Obstacles Only an IT issue Not same as other operational risks Won t happen to us! Security is an event driven industry 3
New Information Security Drivers 1. Significant Threats 9/11/01 2. Recent Vulnerabilities Code Red, Nimda 3. Increased Oversight Enron, WorldCom 4
Increased Oversight and Compliance 5
Increased Oversight and Compliance Governance Date Type Industry 1. HIPPA 8/1996 Security & Privacy Healthcare 2. GLB 5/1999 Security & Privacy Financial Services 3. IIA NACD 2/2000 Security Governance Corporations 4. GISRA 6/2001 Security Standards Government 5. FERC 7/2002 Security Standards Energy 6. Sarbanes Oxley 7/2002 Internal controls Public companies 7. NYSE & NASDAQ 8/2002 Internal controls Public companies 8. National Strategy 9/2002 Secure Cyberspace 5 Levels, Corp & Gov 6
Information Security Governance IIA NACD: What Directors Need to Know 1. Accountability: Who is responsible? 2. Awareness: How is it communicated? 3. Ethics: How to ensure ethical use of information? 4. Inclusion: Are all affected parties involved? 5. Resource Allocation: Are security investments commensurate with risk? 6. Thoroughness: Is security integrated throughout? 7. Effectiveness: How to avoid impact of IT failures? 8. Ongoing Assessment: How to ensure periodic audits or assessments? 9. Compliance: Are security measures fair and legal? 10. Information Sharing: How to share with peers and government? * Source: Information Security Governance: What Directors Need to Know. The Institute of Internal Auditors (IIA) 7
Information Security Governance GISRA Government Information Security Reform Act Genesis is the Clinger Cohen Act of 1996 Requires comprehensive controls over information resources that support federal operations and assets Requires government management and oversight of information security risks Requires annual reviews by the (office of) Inspector General To be updated with revised legislation currently before Congress, The Federal Information Security Management Act (FISMA) http://www.whitehouse.gov/omb/inforeg/fy01securitya ctreport.pdf FERC Standards for Electric Market Participants Participants must have a basic Security Program covering governance, planning, prevention, operations, incident response, and business continuity. Security standards for electric systems and physical security These security standards shall become effective on January 1, 2004. Failure to comply will result in loss of direct access to privileges to the electric market. Senior management is responsible for the Security Program http://www.ferc.gov/draftfercnoprstandardsdv 5.pdf 8
Information Security Governance Sarbanes Oxley Requires CEO and CFO to file internal control report Increases SEC oversight and penalties CEO and CFO must certify quarterly or annual reports that disclose control deficiencies and fraud NYSE & NASDAQ Regular executive sessions of independent directors required Scope of audit committee authority expanded Corporate codes of conduct required Internal audit function mandated! CEO certification required 9
Information Security Governance The National Strategy to Secure Cyberspace Roadmap to protect the Critical Infrastructure, divided into 5 levels (1-5 = home to globe) Questions boards, analysts & investors should ask: 1. Who is responsible for IT security, and to whom is he/she directly accountable? 2. Do the CEO and COO review IT security? 3. What internal IT security policies exist? 4. Are the security controls sufficient? Recommendations: Enterprise-wide corporate security councils Regular independent IT security audits Chief Information Security Officer (CISO) IT continuity plans regularly reviewed http://csrc.nist.gov/policies/cyberstrategy-draft.pdf 10
Securing your Corporate Infrastructure What is really needed to keep your assets protected? 11
Develop Security Program Goals for Information Security: Confidentiality Integrity Availability These goals can be met with: Proper governance Meet security practices A Security Program 12
Develop Security Program Security Lifecycle Use the Security Lifecycle to ensure realistic and enforceable policies, and prioritize security objectives. Security is a Process Security requires a full enterprise perspective The Security Lifecycle provides a framework Security Policies, Standards, Procedures and Metrics form the core of a Security Program 13
Develop Security Program 1. Enlist Senior Management Support 2. Define Security Objectives 3. Create Security Strategy or Vision 4. Develop Tactical Security Program 14
Develop Security Program Senior Management Commitment An acknowledgement of the importance of the computing resources to the business model A statement of support for information security throughout the enterprise A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines 15
Develop Security Program Security Strategy & Plan The model to the right lays the groundwork for designing, implementing and maintaining a comprehensive security framework. The strategy and plan encompass People, Process and Technology Builds consensus among each of the stakeholders regarding the objectives The elements of Knowledge Sharing, Best Practices, Metrics, Methodologies, and Skill Sets provide the groundwork for implementing a security framework. The biggest issue in most organizations is the lack of a comprehensive enterprise security strategy Strategy & Plan Processes Technology People Metrics/ Measures Methodology Best Practices Skills Sets Sharing 16
Develop Security Program Strategy The strategy is a high-level statement that defines the targeted state of Information Security for the organization, and how the targeted state of security can be reached. Must be specific to the organization! Plan Provides an overview of the security requirements and describes the controls Delineates responsibilities and expected behavior of all individuals Documents the structured process of planning adequate, cost-effective security protection for a system. 17
Develop Security Program People Identify roles, responsibilities and accountability for all critical information assets Determine whether the security management function is appropriately staffed Empower the Security Management team to create and enforce the appropriate information security policies & procedures Process Define, document, communicate and practice Security Management functions Develop and standardize security policies Increase security policy awareness throughout the organization Discuss the Security areas approach to dealing with security related problems and exceptions. Technology Identify the metrics to measure the performance of Security Management Develop technical security standards Identify additional security products and solutions 18
Develop Security Program Information Security Framework SM (ISF) Our approach to managing security risk uses Protiviti s proprietary Information Security Framework SM (ISF). The framework is based on the simple concept of balance: that information security risk management techniques should create a balance between the cost and nature of controls implemented and the benefit of risks assessed and controlled. Process - The human element in a security program Applications - The business software providing access to data Data Management - Backend databases housing data Platform - Operating systems and hardware supporting applications Network - Access to applications and network elements Physical - Access to facilities and physical elements Strategies and policies ensure that business risks are effectively managed and communicated to relevant parties Processes and controls should be in place to detect and respond to security alerts and events Changes to the technical environment should not create weaknesses in the security architecture Technical architectures and solutions should be designed and operated to provide effective solutions to security threats 19
Summary 20
Takeaways Security is Complex! Governance = Accountability Security is a Process Security Program is Necessary Enlist Senior Management Support Define Security Objectives Create Security Strategy or Vision Develop Tactical Security Program People, Process and Technology 21
Joseph Burkard, CISA, CISSP joseph.burkard@protiviti.com Mobile: 414.807.7178 Background Joe is a Senior Manager in Protiviti s Milwaukee office. He has over seven years experience in information technology, the last three with Andersen prior to Protiviti. He has been an IS security and risk consultant, network engineer and system administrator. He has developed security architecture and methodologies, performed numerous security related risk assessment audits and has managed system installation and application integration projects. Certifications Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) Fellow, Life Management Institute (FLMI) Relevant Experience Information Security Project Risk Management IT Risk Assessment Infrastructure Management Internal and IS Audit Representative Clients Briggs & Stratton Commercial Federal Bank Kohler Lands End Manpower Newell-Rubbermaid PepsiAmericas Sprint United Health Group 22