Security Officer s Checklist in a Sourcing Deal

Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client

Abstract Sourcing deals creates opportunities and challenges. What does it mean for a security officer : are special checklists required or can this be handled as business as usual? This presentation will focus on the areas of attention for a security officer for securing sourcing deals. 2 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Security Management Risk Management CRO The Chief Risk Officer looks at the organization s overall risk profile and where they are most vulnerable to unexpected loss. CFO The Chief Financial Officer must ensure that necessary controls are in place to have accurate financial statements. CISO The Chief Information Security Officer must ensure that the IT Infrastructure supports the overall business drivers of the organization. The CISO must minimize the risk of the IT environment and assess and communicate the impact of this environment on the overall organization from a Governance, Risk and Compliance perspective 3 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Risk Management Likelihood Almost Certain Likely Moderate Unlikely Rare Impact Insignificant Minor Moderate Major Catastrophic Risk Rating Low Medium High Critical 4 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

5 http://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html Security Officer Checklist in a Sourcing deal Johan Van Mengsel

The economics of IT and risk and reputation - 2013 6 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

The economics of IT and risk and reputation - 2013 7 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

The economics of IT and risk and reputation - 2013 8 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

9 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Factors that influence the cost of data breach Source: 2014 Cost of Data Breach Study: United States Ponemon Benchmark research sponsored by IBM 10 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Impact of factors on the per capita cost of data breach Source: 2014 Cost of Data Breach Study: United States Benchmark research sponsored by IBM 11 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Risk Management Third Party Likelihood Almost Certain Likely Moderate Unlikely Rare Impact Insignificant Minor Moderate Major Catastrophic Risk Rating Low Medium High Critical 12 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Cloud Security: Simple Example Today s Data Center Tomorrow s Public Cloud??? We Have Control It s located at X. It s stored in server s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.??? Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 13 Security Officer Checklist in a Sourcing deal Johan Van Mengsel 13

Risks introduced by cloud computing Restrictions imposed by industry regulations over the use of clouds for some applications Challenges with an increase in potential unauthorized exposure when migrating workloads to a shared network and compute infrastructure Data Security Where the information is located and stored, who has access rights, how access is monitored & managed, including resiliency Less Control Control needed to manage firewall and security settings for applications and runtime environments in the cloud Security Management Concerns with high availability and loss of service should outages occur Compliance Reliability Private Clouds Risks across private, public and hybrid cloud delivery models Public Clouds 14 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

1 5 Customer Requirements for Cloud Security 16 Cross Industry Customers Analyzed 6 Telcos 3 CSIs 1 Government 1 Bank 1 Manufacturing 1 SMB 2 IBM Results of the analysis of existing customer requirements for Cloud Security World-Wide Representation NE IOT SW IOT MEA North America IOT ANZ Identity and access management 21 Intrusion prevention and response 37 Patch management 7 Data Sources Formal RFPs Project Architect Interviews Data Management 12 Virtualization Security 12 Governance, risk & compliance 25 15 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Cloud Deployment/Delivery and Security Depending on an organization's readiness to adopt cloud, there are a wide array of deployment and delivery options More Embedded Security SaaS Software as a Service BPaaS Business Process as a Service PaaS Platform as a Service IaaS Infrastructure as a Service Less Embedded Security 16 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Different cloud deployment models also change the way we think about security Private cloud On or off premises cloud infrastructure operated solely for an organization and managed by the organization or a third party Hybrid IT Traditional IT and clouds (public and/or private) that remain separate but are bound together by technology that enables data and application portability Public cloud Available to the general public or a large industry group and owned by an organization selling cloud services. Changes in Security and Privacy Customer responsibility for infrastructure More customization of security controls Good visibility into day-to-day operations Easy to access to logs and policies Applications and data remain inside the firewall Provider responsibility for infrastructure Less customization of security controls No visibility into day-to-day operations Difficult to access to logs and policies Applications and data are publically exposed 17 Security Officer Checklist in a Sourcing deal Johan Van Mengsel 17

Coordinating information security is BOTH the responsibility of the provider and the consumer Who is responsible for security at the level? Datacenter Infrastructure Middleware Application Process Industry-specific Processes Employee Benefits Mgmt. Business Travel Procurement Business Process-as-a-Service Provider Consumer Collaboration CRM/ERP/HR Financials Industry Applications Application-as-a-Service Provider Consumer Middleware Web 2.0 Application Runtime Java Runtime Database Development Tooling Platform-as-a-Service Provider Consumer Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure-as-a-Service Provider Consumer 18 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

What is multi-tenancy, and what are the security IMPLICATIONS? Example: Database Multi-tenancy 19 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

ISO / IEC 27002:2005 provides an information security management framework ISO / IEC 27002:2005 covers 11 security management topics or Clauses. Each Clause is divided into categories with security objectives and sets of security controls to meet those objectives. Controls should be selected based on: assessment of risk business principles and objectives; legal, regulatory, and contractual obligations. Information Security Incident Management Business Continuity Management Organizational Information Security Asset Management Security Policy Human Resources Security System Access Control Compliance Communications and Operations Management Physical and Environmental Security Information Systems Acquisition, Development, and Maintenance 20 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 5 : Security Policy Objective: Communicates management commitment and information security requirements across the organization. 21 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 6: Organization of Information Security Objective: Resources must be allocated and assigned roles and responsibilities for security processes. Organizational Information Security Security organization crossing boundaries to Sourcing Partner: o o Dedicated counter-party typically for larger sourcing deals Security expertise in sourcing team 22 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 7: Asset Management Objective: Accountability must be assigned to ensure decisions take into account the value of data and requirements for confidentiality, integrity, and availability. Asset Management Third party follows established procedures for handling information identified by the customer as classified. Matching asset classification to third party If all handled as Top Secret Too costly Attention deluted Protect the crown jewls Implement more stringent requirements for protecting and handling classified information based on custom security controls (i.e. specific controls for handling personal information) 23 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 8: Human Resources Security Objective: Personnel processes should ensure security responsibilities are addressed during recruitment, in third party contracts, in training programs, and in disciplinary processes. Human Resources Security Background checks? NDA : individual or corporate level Security awareness training? 24 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 9: Physical and Environmental Security Objective: Provide a secure environment for people, equipment, and information and to deter damage to assets or the bypassing of logical security controls. Physical and Environmental Security Where is third party located Office space Data center Restricted areas 25 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 10: Communications and Operations Management Objective: Provide sound network and systems management practices in order to reduce the risk of negligent or deliberate system misuse. Communications and Operations Management Most sourcing deal will require some connectivity Inwards Outwards 26 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 11: Access Control Objective: Access control processes provide protection for information and resources, and help ensure accountability. System Access Control User Access Management : o o o Creation/change/revocation Revalidation Privileged user administration Access for own users + sourcing partner 27 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 12: Information Systems Acquisition, Development and Maintenance Objective: Security requirements must be identified and appropriate security controls are built into systems and applications. Information Systems Acquisition, Development, and Maintenance Building new systems to security build specifications. Security patching Management of cryptographic controls 28 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Encryption in the Cloud Approximate 50% of companies have sensitive and confidential information stored in the Cloud. Source: 2013 Encryption in the Cloud van Thales e-security and The Ponemon Institute 4275 business and IT-managers involved in study But not always with Encryption : Encryption at rest : 39% for SaaS and 26% for IaaS- and PaaS-consumers Encryption before send to the cloud: 44% SaaS and 40% IaaS and PaaS consumers Whom controls the crypto keys : 34% consumers 29% shared between consumers and producers 18% third party 17% producers http://www.smartbiz.be/smartbusiness/155343/encryptie-in-de-cloud-is-nog-niet-alomtegenwoordig 29 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 13: Information Security Incident Management Objective: Information security events and weaknesses must be reported quickly and corrective should be taken. Information Security Incident Management Whom are you gonna call? Will they call you? o o Establishment of security incident reporting procedures Initial security incident evaluation services 30 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 14: Business Continuity Management Objective: Ensure that an organization is prepared to continue critical business functions in the event of a disaster. Business Continuity Management Must be in-line with own BCM o o o o Continuity impact analysis and Continuity plan development Disaster Recovery planning services in support of a Continuity plan Disaster Recovery testing services Disaster Recovery execution 31 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Clause 15: Compliance Compliance Objective: Ensure that an organization s security policy is enforced and that security controls are working as expected. Need to know relevant compliancy requirements: System security checks o o o PCI Basel SoX Regularly checking: o o System security checks on a sample of systems for compliance with password policy, anti-virus protection and logging requirements Security audits 32 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Summary Sourcing definitely warrants the Security Officer attention Get your own act together first David versus Goliath Compliancy versus Security Trick question: what about sourcing security? 33 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

Any Questions?????????????? 34 Security Officer Checklist in a Sourcing deal Johan Van Mengsel

35 Security Officer Checklist in a Sourcing deal Johan Van Mengsel