CI - Developing and Implementing a Comprehensive Privacy and
advertisement
Mitigate Risk March 23, 2004, 2pm Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Things we should go over Background Information Identifying Risks Relationship between Privacy & Security What Causes Security & Privacy Risks Using a Risk Management Approach Risk and Vulnerability Assessment Security & Privacy Management Capabilities Maturity Model Case Study! Protecting Privacy & Security Copyright 2004 Integrity Incorporated 2 But first, how mature do you think you are? • From 1 to 5, rate yourself: • on policy, process & procedures • on privacy & security • on technology 1 2 Copyright 2004 Integrity Incorporated 3 5 4 3 Identifying Risks What is at Risk? Assets of the organization include – – – – Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Secrets $$ Time, effort People What else is at Risk? – Public trust in the organization • PR risk • May impede ability of the organization to operate effectively – Operational capabilities of the organization • Can be disrupted by unauthorized system modifications • Can be disrupted by Denial of Service and Distributed Denial of Service attacks Copyright 2004 Integrity Incorporated 5 And still more – Your clients • • • • Privacy of clients’ personal information Legally protected (legislation) Contractually protected (policy, contract) What information must be protected? – Accuracy of clients’ personal information • Legal requirements • Operational necessity Copyright 2004 Integrity Incorporated 6 Identifying Risks Copyright 2004 Integrity Incorporated 7 The Relationship between Privacy & Security confidentiality C I integrity Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated security A availability What Causes Security & Privacy Risks •Technical vulnerabilities •Fraud •Operational issues •The bad guys Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Technical vulnerabilities • Technical faults • Software bugs, incorrect documentation • Misconfiguration – software, servers, firewalls / security systems, routers – various other network elements • Hardware failure – lack of redundancy – poor maintenance schedule Copyright 2004 Integrity Incorporated 15 More technical vulnerabilities • Poor technical architecture • Lack of – – – – – Copyright 2004 Integrity Incorporated appropriate perimeter defenses intrusion detection systems adequate access controls adequate authentication systems adequate authorization controls 16 Fraud • Intentional misrepresentation • • • • By clients By staff By company executives External parties misrepresenting the company Copyright 2004 Integrity Incorporated 17 Operational issues – Insufficient checks & balances • peer review • periodic internal review • external audit – – – – Do you have: a security awareness program a readable security policy an incident response plan Human error Faulty procedures Undocumented or missing procedures Lack of standardization Copyright 2004 Integrity Incorporated 18 More operational issues – – – – – Lack of a clear policy framework Poor real-time handling of security incidents Lack of privacy awareness among all staff Lack of security awareness among all staff Extreme shortage of security skills among IT staff Do you have: a business continuity plan a disaster recovery plan a backup and recovery system Copyright 2004 Integrity Incorporated 19 Bad guys – – – – Amateur hackers Well-intentioned researchers Malicious professionals Financially motivated professionals (your loss, their gain) Copyright 2004 Integrity Incorporated 20 What Causes Security & Privacy Risks What high-level approach does your organization use today to address security & privacy issues? • How effective is it? Copyright 2004 Integrity Incorporated 21 The Risk Management Approach to Security & Privacy Strategy You can’t eliminate 100% of risks… Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated The Risk Management Approach to Security & Privacy Strategy … but you can develop a risk management framework which... Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated A Risk Management Framework – takes a strategic approach – provides a disciplined cost-benefit framework – establishes clear high-level policies to guide tactical decision-making – provides detailed processes & procedures Copyright 2004 Integrity Incorporated 24 A Risk Management Framework – specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks – sets technical standards – justifies security & privacy expenditures on both an economic & a legislative basis Copyright 2004 Integrity Incorporated 25 The Risk Management Approach: Key Components Driven by risk analysis – Types of risks X Probabilities of risk X Costs of losses – Types of risk mitigation - impact on probabilities and losses High-level security & privacy mandate - policies! Accountability in all risk-related activities Success factors – Continuous Improvement – Dynamic response to new threats Copyright 2004 Integrity Incorporated 26 Continuous Security Framework Okay, this is for the CSO. Copyright 2004 Integrity Incorporated 27 Continuous Security Framework f l o w o f c o n t r o l Copyright 2004 Integrity Incorporated 28 Continuous Security Framework Metrics & Continuous Improvement Copyright 2004 Integrity Incorporated 29 Continuous Security Framework Copyright 2004 Integrity Incorporated 30 The Risk Management Approach to Security & Privacy Strategy Map out the high-level steps your organization needs to take to use a riskmanagement approach to privacy and security. Copyright 2004 Integrity Incorporated 31 Risk and Vulnerability Assessment Risk vs. Vulnerability Risk is economic & legal Vulnerability is technical & procedural Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Quantifying risk Economic Risk ($) = Types of risks Probabilities of risk (%) Costs of losses ($) Copyright 2004 Integrity Incorporated 33 Assessing vulnerability – Technical • Attack & Penetration Testing • Network Security Review – Procedural • Privacy Impact Assessment • Policy Audit • Processes & Procedures Audit Copyright 2004 Integrity Incorporated 34 Risk and Vulnerability Assessment Estimate the outcomes which would result if your organization were to undergo: – – – – A thorough Attack & Penetration test? A thorough Network Security Review? A thorough Privacy Policies Audit? A thorough Operational Security (Processes & Procedures) Audit? Copyright 2004 Integrity Incorporated 35 Protecting Privacy & Security Technology solutions Procedural solutions Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Technology solutions – Firewalls privacy, integrity, authentication – Encryption privacy • Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc. Copyright 2004 Integrity Incorporated 37 Technology solutions – Passwords authentication • Risks: reusable passwords, plaintext protocols – Tokens authentication – Certificates authentication – Intrusion Detection Systems / IDS integrity, privacy Copyright 2004 Integrity Incorporated 38 Technology solutions – Digital signatures integrity, authentication, non-repudiation – PKI privacy, authentication, integrity, nonrepudiation – PMI authorization, privacy, authentication, integrity Copyright 2004 Integrity Incorporated 39 Procedural solutions – “Need to know” (principle of least privilege) privacy – Change controls privacy, authentication, integrity, non-repudiation Copyright 2004 Integrity Incorporated 40 Procedural solutions – Audit processes increased assurance re. all factors – Technical standardization privacy, authentication, integrity, non-repudiation Copyright 2004 Integrity Incorporated 41 Protecting Privacy & Security • What are the primary methods (procedural / technological) used by your organization to: – Protect privacy – Perform authentication – Ensure non-repudiation for online transactions – Maintain data and systems integrity Copyright 2004 Integrity Incorporated 42 Security & Privacy Management Capabilities Maturity Model (TM) Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Security & Privacy Management Capabilities Maturity Model (TM) – Measuring success using a baseline • Proprietary, standardized • Based on CERT’s Systems Security Engineering Capability Maturity Model – Provides maturity metrics on high-level organizational security and privacy capabilities Copyright 2004 Integrity Incorporated 44 SPM-CMM(TM) Level 1 – Organization handles Security & Privacy issues informally – Organization does not have documented Security & Privacy policies 1 Copyright 2004 Integrity Incorporated 45 SPM-CMM(TM) Level 2 – Organization has documented Security & Privacy policies – Organization has assigned resources to plan Security & Privacy initiatives – Effective training programs re. Security & Privacy – Organization has effective processes to verify compliance with Security & Privacy policies 2 Copyright 2004 Integrity Incorporated 46 SPM-CMM(TM) Level 3 – Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards) – Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements 3 Copyright 2004 Integrity Incorporated 47 SPM-CMM(TM) Level 4 – Organization has measurable, quantitative Security & Privacy goals – Organization tracks objective performance relative to Security & Privacy goals – Strong individual accountability 4 Copyright 2004 Integrity Incorporated 48 SPM-CMM(TM) Level 5 – Organization has an effective Continuous Improvement program for Security & Privacy – Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback 5 Copyright 2004 Integrity Incorporated 49 Security & Privacy Management Capabilities Maturity Model (TM) 5 1 Copyright 2004 Integrity Incorporated 50 Security & Privacy Management Capabilities Maturity Model (TM) • Important considerations: – What is the impact of moving to the next maturity level? – What changes to technologies, processes, and policy would you need to make? Copyright 2004 Integrity Incorporated 51 Long-Distance Health Care / Privacy •Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs •Cost effective communication required - a private network using internet technologies •Maintain privacy - information shared between organizations, across borders •Security technology, policy reviews •Privacy policies of all organizations amalgamated •Most stringent policy had to apply to all to ensure that all policies were met Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated SPM-CMM(TM) Level 1 Level 2 Results • Policy review for all organizations • Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy • Training to properly handle exchange of information varying legislative jurisdictions Services • Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training Copyright 2004 Integrity Incorporated 53 Where do you rank your organization on the SPM-CMM(TM)? For security? For privacy? Overall? Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Thank you!!!! Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated www.integrityincorporated.com/subscribe.aspx Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated Mitigate Risk March 23, 2004, 2pm www.integrityincorporated.com/subscribe.aspx Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Copyright Copyright 2004 2004 Integrity Integrity Incorporated Incorporated
