Security - ISACA Denver Chapter
advertisement
Security Management and Organizational Change John G. O'Leary, CISSP 1 Abstract Outsourcing, migration to the cloud, mergers, acquisitions, divestitures, "right-sizing,” layoffs and major reorganizations are facts of life in the second decade of the 21st century. All these situations can create serious information protection concerns, but security is usually considered only after financial, legal and structural issues have been settled and the ink is already dry on the bottom line. We’ll look at large-scale organizational change from an IT security perspective and try to provide realistic strategies for handling the very real and emotionally charged issues that inevitably arise at the first discussion of moving functions out the door or offshore or to the cloud. We’ll examine what to do before, during and after major organizational upheaval to insure that adequate controls are in place. 2 Speaker Biography John G. O'Leary, CISSP, has a background that spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational and has trained tens of thousands of practitioners. John conducts on-site programs at major corporations and government facilities worldwide. He also facilitated for 10 years the meetings of working Peer Groups, where security professionals from diverse corporations shared ideas, concerns and techniques. John received the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the 2011 ISC2 Lifetime Achievement Award. He has yet to fall for a Nigerian money scheme, but will almost always divulge a password for chocolate. Copyright 2012 by John G. O’Leary 3 Objective At the conclusion of this workshop, participants should be more able to understand, anticipate and handle the information security issues which appear in the midst of mergers, acquisitions, divestitures, outsourcing, migration to the Cloud, “rightsizing,” major reorganizations and other species of large-scale organizational change. 4 Agenda I. Merging II. Hunkering Down III. Outsourcing –including Migration to the Cloud IV. Personnel Issues in any Reorganization V. Potential Countermeasures 5 Merging Dissimilar Organizations Company Differences Intellectual Technological Operating Systems Applications Software Business structure 6 Intellectual Views of Company Mission Corporate Cultures Key Management People Management Techniques Strategic Directions Setting Priorities 7 Views of Company Mission Keep the entity alive Make money for shareholders (including management) for growth to pay off debts to acquire other companies to fund research 8 Views of Company Mission Serve the public the industry the community some special group In times of special need How security supports the mission 9 Corporate Cultures Stodgy, conservative Control-oriented No surprises Stay the course Minimal change Plan to plan the plan 10 Corporate Cultures High-flying, wild, unfettered Exciting, flexible Latest (if not greatest) technology Changing directions Constant upheaval ”Sounds good, let's do it" 11 Corporate Cultures Dominant profession Attitudes toward security 12 Key Management People Focus on survival (or parachute) View of security's role during transition in the new organization Reaction to culture clash 13 Key Management People "Turf" issues Possible successors Leadership by example Concentrated awareness effort 14 Management Techniques Participative vs. authoritarian Policies: scope number wording compliance effectiveness 15 Management Techniques Security as part of annual review? Punishment of offenders Visible support for security efforts 16 Strategic Directions Adjusting security objectives to align with new corporate thrusts Effectiveness of old controls in new environment Acceptability of proposed security measures 17 Strategic Directions 3 to 5 year planning horizon (??) Migration to cloud Targets and level of awareness program Security development projects 18 Setting Priorities Data sharing and consolidation Increased web connection Confidentiality Management "hot buttons" New directions Dealing with multiple audit groups 19 Company Differences Technological Leading edge vs. Trailing Single vs. Multi-vendor Centralized vs. Decentralized Integration of data/server centers Degree of networking Sophistication of users Technical prowess of staff 20 Technological Differences Leading vs. Trailing Edge Hardware capabilities Software sophistication Perception of threat Susceptibility to outage Effect of an outage Vulnerability to disgruntled employee Attitudes 21 Technological Differences Centralized vs. Decentralized Flagpole vs. boondocks Span of control Level of involvement Familiarity with local conditions Level of commitment Full-time vs. part-time Response time for change requests 22 Technological Differences Integration of Data/Server Centers Standalone, separate security domains Usually for regulatory reasons No integration, but data storage and vaulting for backup capabilities Partial integration, usually by application; communication links, local control Full integration; full complete switchover capability 23 Technological Differences Sophistication of Users Awareness of threats and vulnerabilities Old controls in the new environment re-justify re-engineer replace eliminate 24 Technological Differences Sophistication of Users Acceptance of additional "burden" of security Speed and method of implementation for new controls 25 Operating System Vendors Version currency Future/Migration planning Maintenance level/procedures Decentralized operations “Vanilla” vs. “Hooks” Compatibility 26 Application Software Vendors Contracts Duplicate systems Choosing survivors Business impact 27 Application Software Support staff skill Change control User sophistication Compatibility 28 Business Structure Industry type Predominant occupational culture View of Systems (& Security) Asset Overhead 29 Business Structure "Turf" battles Access to Top Management Total expenditures Systems Security Industry norms 30 Consolidation – Post-merger Controlling Security centralized administration distributed administration selecting administrators training audit requirements strength of audit staff migration plan 31 Getting it done Form a team members from both sides allot limited time for grumbling joint responsibilities and mixed subcommittees to foster team spirit small core, temporary members as needed 32 Getting it done Develop the plan dates and deliverables personal responsibility management approval (higher-ups from both sides of the merger) 33 Getting it done Work the plan build a history of small but real achievements praise cooperative groups take the path of least resistance be flexible, but not a pushover 34 Getting it done Work the plan report successes and failures ask for help & suggestions don't waste time on stonewallers; isolate them and let peer pressure work for you leave slack for management hot buttons 35 Exercise HP or Cisco or Oracle or Walmart or Sony or some European firm (choose one) just bought your company Outline a plan for the integration of your existing systems 36 Hunkering Down Divestiture Downsizing Hiring Freezes Induced Retirements Layoffs Facility Closing Outsourcing / Cloud 37 Divestiture: Selling off to another Usually the least traumatic form of corporate contraction Long-term employees corporate identity refusal to accept feeling of betrayal Culture clash for "new” employees No loyalty to either old or new company Sensitive information and trade secrets 38 Divestiture Even rumors of divestiture can cause security problems Searching for information Browsing sensitive files Collecting valuable data or programs for personal storage and possible future use Setting logic bombs to detonate if an employee number vanishes from the payroll file ... 39 Divestiture Normally rational employees may attempt irrational retribution against the company IT systems are prime targets Networking, wireless make it easy In a partial, or staged divestiture, “former” employees might still be working at their old desks, using their old ID’s on their old machines to access sensitive data 40 Downsizing: Tightening the belt Hiring freezes overworked areas get no relief from constant pressure can lead to frustration, anger and blaming the company too much to do; no help in sight; something's gotta give cutting corners and ignoring timeconsuming security practices temporary abeyance of separation of duty principles 41 Induced Retirements Generally not a problem Might be a win-win for company and retirees Disgruntlement - “I didn't make the cut” Hard to motivate those who are leaving Is it really a choice? Extra work for those left behind Allocation of sensitive information and functions when senior people leave Organizational memory 42 Layoffs Always a shock, especially with no “parachute” Press coverage is unfailingly negative Behavior can be irrational, unpredictable, violent Desperation can spur the revenge motif 43 Layoffs Strong effect on those who survive Dial-up access from home Logic bombs which go off unless the programmer is there to defuse them Sensitive information for sale to competitors or newspapers 44 Layoffs Security and audit must operate in a state of heightened awareness Violation tracking Follow up Accurate, timely communication with personnel and group managers Audit/security alliance 45 Layoffs Timing Advance notice for security Revoking access to all systems Might want other users to change passwords Turn up rheostat on logging and log review Outprocessing procedures 46 Layoffs Counseling, even for those who were not let go Outplacement services Benefit package Publicize penalties for malicious access 47 Layoffs Don't delay the process No negative comments about those who left If security people are laid off, stress professionalism Audit everything 48 Facility Closing U. S. law - 60-day notice for plant closing Invitation to sabotage? everyone in the place loses his or her job commiseration blame the company "we'll show them!!” Networks, systems and data warehouses are obvious targets to strike back at and assuage feelings of helplessness 49 Facility Closing Physical sabotage of company equipment is not uncommon Physical violence is a very real threat “What are they going to do, take away my job?” 50 Facility Closing Unpredictable behavior by traumatized, long-term employees who know: how the organization works what is truly important how to hurt it the most how to inflict that hurt most quickly how to make recovery difficult to impossible Each one has a network-connected workstation on his or her desk Most can connect in from home 51 Facility Closing Aggregation of sensitive information by cooperative sharing of small pieces Local security people are among those losing their jobs Can you expect dedicated, thorough, professional, ethical performance from workers who know they will be out of a job in a short period of time? 52 What can we do? Close the plant now Pay people for at least 60 days many firms have done so send in team to close up data security part of team take financial hit up front minimize chance for sabotage or violence 53 What can we do? Emphasize ethics and professionalism Set high expectations of behavior Offer bonuses, payable at the end of the project, to those who help complete a successful shutdown 54 What can we do? Step up security awareness activities Stress the existence of controls and the probability of being caught Advertise punishments for malicious access administrative financial criminal 55 Exercise Management has decided to close the manufacturing plant in Kentucky. You are in charge of making it go well and managing the fallout Outline the steps and timeline in your plan for this plant closure 56 Outsourcing Concepts Managed Services Variations Security Issues Protective Measures 57 MALWARE Complex Information Security Environment INTRANET IPSEC PKI Intrusion Prevention COMPLIANCE VIRUS MULTI-PROTOCOL Forensics ISO 17799 Wireless PRIVACY INTRUSION DETECTION DENIAL OF SERVICE NAS vs SAN .NET HIGH AVAILABILITY SSL Identity Management Sarb-Ox 58 IT Security: Part of a Larger Job Internet Electronic Messaging Security Application Mgmt. Storage Area Network Intranet/Extranet Wireless/Mobile Computing Survivability/Recovery Enterprise Solutions International Connections Regulatory Issues Platform Migration ……… Help Desk Customer Relationship Mgmt Mobile Computing Governance Electronic Commerce Data Warehousing Collaborative Computing Supply Chain Mgmt. Knowledge Management Third Party Connectivity Staff Development Technology Evaluation Social Networking ……… 59 Staffing Alternatives With the growing number of items falling into the purview of “Information Security,” chances are very slim that your organization will either have enough people or that they will be knowledgeable enough to do the job effectively. Note: This is not a knock on your people; there are just too many things, too interrelated, ….. And they change too quickly. 60 Concepts Back to basics Focus on widget making Our expertise is in: manufacturing marketing service finance ????? but not information systems especially not IT security 61 Concepts Save money Cheaper offshore labor Educated, dedicated, workers Language not a problem Communication technology simplifies it Must stay competitive Everyone else is doing it May be viewed as a matter of survival 62 Concepts Save money Fewer weird, expensive systems or security gurus Drop out of the “latest upgrade” rat race Stop interdepartmental “bleeding edge” warfare Dam up the constant stream of security add-ons 63 Concepts Better financial planning Multiple recent surveys have questioned the amount saved; but outsourcing and cloud migration still seem to provide: Contractually stipulated amount for IT or IT security budget Even if no appreciable savings, predictable IT and security costs Fewer surprises Long term stability 64 Concepts Better service Experts provide our IT Security services more people focus on the area broader experience base true experts who do this every day focus on best technology Contractual obligations Contractual penalties for failure to produce 65 Managed Security Services Full Outsourcing (or full Cloud Migration) Included Separate in facilities management contract Your people still spell out “owner” decisions to be implemented Contracted firm does all the security functions 66 Managed Security Services Full Outsourcing Contracted firm does actual hands-on administration You still need a knowledgeable liaison You still need to know enough to: Plan Analyze Make security-related decisions 67 Managed Security Services Partial Outsourcing Might be stipulated in facilities management contract Probably separate contracts for specific outsourced items (usually) Menu of items Different Not vendors all eggs in one basket Specialty areas - “Boutiques” 68 Case Study Large North American Bank Excellent technical skills on staff Internal tech staff already heavily loaded Opinion that “builders” and “maintainers” wouldn’t find holes in systems they built and maintained Outsourced penetration testing to a known, recommended boutique firm 69 Case Study Technical controls (e.g., firewalls) were excellent; penetration team couldn’t get through Social engineering of executive assistant in remote area got a server password Financial executive’s remote password was “Password” Firm had specific stop points Bank used firm’s reports to close holes 70 Managed Security Services Partial Outsourcing Mixed staff Full-time employees Part-timers Contractors Different You Vendors still need to manage them 71 Variations: Cloud Migration Software as a Service Platform as a Service Infrastructure as a Service 72 Variations: IT Security Outsourcing Consulting Risk Assessment Administration Implementation Policy Writing Awareness Training 73 Variations: IT Security Outsourcing Security Architecture Design Firewall Implementation PKI Physical Security Auditing Background Checks Patch Management 74 Variations: IT Security Outsourcing Product Evaluation Monitoring Network Management Intrusion Detection and Response Penetration Testing Forensics 75 Case Study Insurance and Financial Services Company Northeastern USA Built outstanding forensics capability internally, using employees In court, for lawsuits or prosecutions, use outsourced forensics capability, not the internal recognized expert Credibility of witness calls for a nonemployee 76 Security Issues Ownership of data Access approval authority Disclosure of sensitive information Security controls at vendor site 77 Security Issues Partitioning of customer data by vendor Network security Customer policies vs. vendor policies Laws in venues where outsourcing is performed India, Philippines, China, etc. 78 Security Issues Loss of control Security and privacy of the customer's customers Staff IT & IT Sec personnel Quality assurance In the 21st Century, you are in the Information business 79 Security Issues Non-outsourced Standalone items: PC’s Notebooks Netbooks Smart phones Palmtops LAN's "Special" systems Wireless 80 Outsourcing Issues Vendor Lack personnel of in-house expertise analysis of proposed changes problem resolution incident investigation future plans Possible union problems 81 Case Study International Cosmetics Firm Good Information Security Staff Manager & Technical staff Long-term employees Outsourced management of Info Security Employees reported to Managed Services firm person – Director of IT Security Manager and most senior (and best) tech person quit 82 Outsourcing/Cloud Issues Level of commitment Audit rights and procedures Violation reporting and follow-up Security awareness 83 Outsourcing/Cloud Issues Viability of vendor What if they merge? What if they get bought? What if there’s a Board of Directors insurrection? What do you do if they go “belly-up”? What is your “bring it back in-house” plan 84 Outsourcing/Cloud Issues Viability of Vendor – Offshore What if the government changes and the incoming one is hostile? What if they go to war? What if significant laws relating to your business being done there change? What if one of their citizens, in the employ of the outsourcer you contracted with, commits a crime against your customers? 85 Outsourcing/Cloud Issues Positive Cost savings Predictable Focus on core business Experience Fewer cost and expertise of service firms employees (productivity) Insulation from internal politics (???) Contractual obligations and penalties 86 Outsourcing/Cloud Issues Positive Extend your IT Security staff Stay aware of newest and most dangerous threats Keep up with latest security technology, techniques and products Might not be inexpensive, but could be cost-effective 87 Outsourcing/Cloud Issues Positive Probably a better chance of getting help handling massive or multiple rapidly occurring problems: ….unless they’re swamped, too 88 Security Outsourcing Issues Negative Loss of control Total cost might be higher Loss of in-house expertise Increased dependence on outsourcer 89 Security Outsourcing Issues Negative Customer Service Concerns Language Accents Idioms Dialects Lack of flexibility Strictly scripted responses No deviations No concessions Product knowledge 90 Security Outsourcing Issues Negative Political fallout from offshore outsourcing Privacy concerns Abrogation of responsibilities (?) Vulnerability to disgruntled or dishonest vendor personnel 91 Case Study Citibank Striving to save money in a competitive environment Outsourced call center operations to Mphasis BPO, a firm in India 3 Mphasis employees took credit card #’s and pins of 4 users they had access to and withdrew $350,000 from accounts Indian police (city of Pune) very cooperative Indian laws strong and enforced 14 arrests 92 Security Outsourcing Issues Pro and Con Your firm gets as much security as it wants and is willing to pay for You are not constantly annoying people about security issues Politics overrides cost savings 93 Case Study State of New Jersey Like all governments, trying to do more with less – needed to save money Outsourced NJ State Welfare Department call center to a firm in India Callers heard Indian accents, called their local politicians … and newspapers Political firestorm NJ had been saving substantial dollars ($1m/mo.) Politicians complained of “Long-term costs” to New Jersey citizens Now -severe limits on any State jobs being outsourced, especially sent offshore 94 Protective Measures Choose a reputable vendor (not necessarily the least expensive) Third party security reviews – not by your primary audit firm Stepped-up security awareness efforts Rigorous security testing of any changes to the environment 95 Protective Measures Detailed security checklist(s) for outsourcer to fill out and your security people to analyze prior to signing contracts Solid legal representation in the country where the work is being done Specialization in local contract law Input to recovery plans Participation in recovery planning exercises 96 Protective Measures Contractual commitments on: Troubleshooting response Disaster recovery Violation follow-up Personnel Depth change notification and length of incident tracking Remedies and penalties for noncompliance 97 Protective Measures Transition teams Phased implementation Bonuses for those who stay through specified milestones Joint access approval authority Inspections by customer auditors of vendor processing site Involving users in implementation plans 98 Protective Measures Use different vendors for different specialties Problem It with ‘one size fits all’ doesn’t 99 Protective Measures Have a back-out plan in place Make sure that all security knowledge hasn’t migrated out of the organization Contract for independent reviews of security architecture and elements If it’s not in the contract, it doesn’t get done 100 Exercise Your outsourced, offshore application development firm says it needs access to your production files for volume testing Design a questionnaire/checklist for them to fill out before they get access to your environment 101 Personnel Issues Any significant organizational change can cause security problems 102 The Unholy Triangle Fear Uncertainty Doubt 103 Concern for Loss of: Income Status Social group Corporate identity Benefits 104 Concern for Loss of: Power Opportunity Time Investment Effort 105 What Must an Organization do? Reduce stress Ease the trauma of job loss or status reduction Help people maintain positive attitudes Discourage retribution HOW to do these things will vary with the situation 106 Major Reorganization Massive turnover Finding replacements Screening new hires Timing of changes Fixing mistakes 107 Major Reorganization Removal of old access profiles FOR NOW For now = Forever 108 Countermeasures Visible support from the top Clear lines of authority and responsibility Specified ownership of resources Advertised punishments for violations 109 Countermeasures Security/Audit involvement Site visits Security reviews Rigorous audits 110 Countermeasures Centralized Quality Assurance group Thorough and mandatory change control procedures Systems cutover standards, procedures and teams 111 Countermeasures Coordinated risk analysis Combined contingency plan Multi-unit disaster tests Education and Training 112 Countermeasures Emphasis on physical security Visible deterrents to malicious actions Outplacement counseling 113 Summary We have covered: I. Merging II. Hunkering Down III. Outsourcing IV. Personnel Issues in any Reorganization V. Potential Countermeasures 114 Summary Keys to success In periods of large-scale organizational change, security people must be flexible and adaptable For better or for worse, the old organization is gone Focus on making the new one work 115
