Transcript Document
Financial Advisory & Litigation Consulting Services
Financial Advisory & Litigation Consulting Services
Risk Management 2006
September 14-15, 2006
The Metropolitan Club, New York, NY
Workshop B: Information Risk/Security Track
Presented by: George G. McBride, CISSP, CISM
Aon Consulting
Complexity: The root of evil!
Complexity:
• Huge manuals
• Certifications required
to utilize/purchase
• Undocumented
features
• Staffing issues
• Updates and Patches
and Hot-Fixes and
Service Packs and
upgrades!
• Changing technology
• Complex DMZs
• And many more!
1
Information Technology Security Challenges
• Enterprises are globally connected and information-driven
• Extended enterprises include business partners, outsourcing
providers, telecommuters, clients, etc
• Network & technology dependency has created critical risk
exposures that are becoming more difficult to manage
• External/internal threats to information assets are rapidly growing
and changing
• Regulatory requirements are increasing in scope and complexity
• Technologies are continuously emerging and converging
• Customers demand high-level of security/privacy for their data
Interesting
Fact
.
Over 5 exabytes of total new information were produced and
stored in 2005. Five exabytes is about equal to 500,000
Libraries of Congress. (Report by UC,Berkeley)
2
Data Everywhere
3
Information Security and Risk Services
The Aon Difference
• We provide a comprehensive approach to information
security risk management issues
— A Return on Security Investment to enable intelligent risk
management decisions
— A holistic approach in managing information security risk
— Partnering with clients throughout the information security risk
management life cycle
— Working with technology vendors and insurance partners to
negotiate the best possible rates for risk mitigation or risk
financing
— Formal methodology to assess risk
• Repeatable, documented, and evolving
4
What is the solution?
• Information security risk
management should:
— Align with business objectives
— Integrate people, process
—
and technology
— Focus on the business impact of
information loss
— Be based on leading practices and
standards
— Architected to enable multiple risk
mitigation
5
Threats
• Opportunity
• Motivation
• Capability
Vulnerabilities
• Technology
• Processes
• People
Potential Consequences
- IT Disruption
- Financial Loss
- Litigation
- Damaged Brand
- Regulatory fine - Revenue loss
Risk-based Security Strategy
Transfer
Security
Options
Control
Manage
Risk Framework (Example)
1.
2.
3.
4.
6
Identify the threats to specific business areas
Assess the level of vulnerability
Gauge the potential impact
Develop security option path
Benefits of a Risk-based Integrated Approach
• When utilizing a risk based, integrated approach the
organization can:
— Transfer risks to third parties or purchase insurance
— Control risk through the implementation of security controls
— Monitor risks that the organization chooses to accept
— Make the right security investments to address the most critical assets
within the organization
— Ensure effectiveness of the most critical element of security---people
— Address regulatory compliance efficiently and cost-effectively
7
Integrated with the Organization
• Information security is not just a “technology” issue
• Human elements and processes are also essential:
— People: The #1 cause of security breaches. People issues include:
policies & procedures, technology management, security
awareness, incident response, security organization
— Process: How work is conducted has a huge impact on how security
should be designed and deployed--it balances productivity with
security
— Technology: Focus has traditionally been on external threats and
perimeter security technology e.g. firewalls, intrusion monitoring,
network security, etc. Technology can also help with internal
issues as well e.g. Role Based Access Control
Definition: Role Based Access Control (RBAC)
A method of regulating access to computer or network
resources based on the roles of individual users within an
enterprise. By definition RBAC incorporates elements of
People, Processes and Technologies
8
Information Security and Risk Services
Approach
Phase
9
Assess
Plan
Implement
Activities
• Identify and analyze information
security risk profile
• Facilitated sessions
• Documentation review
• Data collection
• Testing and validation
• Valuation exercises
• Analyze risk/security gaps
• Document improvement
recommendations
• Conduct strategic security
planning
• Vendor evaluation and
selection
• Solution design and
architecture
• Program/project
management
• Solution deployment
Deliverables
• Executive summary and
detailed report, including:
• Significant findings
• Benchmark/scoring
• Continuous risk
improvement process
•
•
•
•
•
•
•
• Security solutions based on:
• Regulatory compliance
• Industry standards and best
practices
• Objectives that are important
to the organization
Tools
• Commercial and
proprietary tools
• Industry best practices
and standards framework
Information Security Roadmap
Solution architecture
Prioritized objectives
Implementation plan
Timeline
Success criteria
Team structure
• Security technology center
• Project management and
reporting tools
Information Security and Risk Services
Consulting
Assessment
•
•
•
•
•
•
•
•
•
•
•
•
•
10
Information Security Risk Assessment & Analysis
Regulatory Compliance Reviews
Security Controls Gap Analysis
Network & System Vulnerability Assessment
Application Security Assessment
PBX Assessment
Penetration Testing
Wireless Security
Identity and Access Readiness Assessment
Technology and Vendor Selection Assessment
Social Engineering
Physical and Life Safety
Security Policy Review
Security Management
•
•
•
•
•
•
•
•
•
•
Incident Response/Forensics Investigation
Asset Classification
Network Security Architecture
Security Awareness Program
Information Security Program Management
Disaster Recovery/Business Continuity
Planning
Secure Software Development
Staff Augmentation
General Security Consulting
Litigation Readiness Programs
Information Security and Risk Services
Implementation
Access Control
Data Management
• Firewall Implementation
• Encryption
• Patch Management
• Wireless Networking
• Storage and Archiving
• Asset Tracking/ Management
• Identity and Access
Management
• Backup and Recovery
• Endpoint Security
Authentication
Threat Management
• Remote Access
• Security Event Management
• Directory Services
• Two Factor Authentication
• Anti-Virus
• Anti-Spam
• Single Sign-On
• Intrusion Detection and Prevention
• Host Integrity
11
Security Management
• Content Security
• Security Policy Framework
& Development
Industry Best Practices
• Even the professional services firms look to a 3rd party to assess,
manage, design, and implement their infrastructure
• Look for true vendor neutrality in your assessors
• Use a proven methodology to assess your infrastructure
• Understand your baseline: what are you comparing your IT
infrastructure to?
• Develop quality metrics
• Know your risk tolerance
12
Contact Me
George G. McBride
Financial Advisory & Litigation Consulting Services
Director, IT Security Consulting
Risk Consulting Services Practice
Office: 732.389.8944
Mobile: 732.429.0676
Email: [email protected]