PowerPoint Presentation - KPMG A4 Talkbook Fullpage
Download
Report
Transcript PowerPoint Presentation - KPMG A4 Talkbook Fullpage
INFORMATION RISK MANAGEMENT
e-ID: are you (proven) in control?
DENNIS VAN HAM
Introduction and setting the scene
Identity: who are you? And how can we be sure it’s you?
Access: what are you allowed to do?
Business: protection of information is important but please
don’t bother me;
Technology: lots of it available but how reliable is it really?
Audit and compliance management: proven in control?
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
2
Impact on people – changing threats and fast
2003
“Classic” Phishing
2004
2005
Spyware
Man-in-the-Middle Attacks
Keylogging
Botnets
Pharming
Malware
Trojan Horses
And More …
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
2006
3
People are different and have many e-ID’s
Tentative mother of grown
children
Young, traveling
businessman with a family
Learning to navigate the Net
Juggles 30 passwords
Freely gives away his
personal information
Considering banking online,
but hasn’t taken the leap yet
Uses two-factor
authentication at work
Has a firewall and antivirus
Clicks on any link
Afraid of hackers from news
story about ID theft victims
Wonders if its available for
his personal accounts
His motto: I grew up
with the Internet. I’m
not afraid of it.
Her motto: The Web is
complicated! Better to be
safe than sorry.
His motto: Internet
security is key, but I
can’t carry one more
thing
Hip, 20-something male
Thinks he’s immune to
online fraud
Source: RSA Security
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
4
Impact on business
Compliance
SOX, HIPAA, Privacy, BASEL II, FDIC, etc
Corporate or IT Governance
Lack of clear strategy;
Timely implementation of policies or resolutions;
Policy enforcement and reporting;
Security
Protection of intellectual property;
Rising administration and helpdesk costs;
Complex technologies and application infrastructure.
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
5
IT-security survey: six important signals
Technology remains very dynamic, proper risk analysis is key but not
applied on a large-scale;
Insufficient expertise most important motive for outsourcing IT-security;
Hacking, viruses and worms significant threats, companies have little
insight into the quality of their protection;
Authorisation management is structured ineffectively and inefficiently;
Continuity management is often organised on paper but it is usually not
certain whether it also works well in practice;
The growing use of mobile devices requires attention.
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
6
Compliance – but not a goal in itself
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
7
Complex and getting management attention is difficult
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
8
Reality bites – ‘identity and access’ information everywhere
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
9
How does an auditor think?
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
10
Identity & Access Management – in a nutshell
Cross Platform
Authentication
Provisioning
Authorization
Federation
Meta-Directory
Audit
Management
Significant Integration Effort Required
J2SE/J2EE
Windows/.NET
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
Security
Storage
Networking
APIs and protocols
Frameworks
OS and infrastructure
Processing
Security
Storage
Networking
APIs and protocols
Frameworks
OS and infrastructure
Processing
Security
Storage
Networking
Processing
APIs and protocols
Frameworks
OS and infrastructure
UNIX/LAMP
11
More information?
KPMG Information Risk Management
Dennis van Ham
Consultant
KPMG Information Risk Management
Burgemeester Rijnderslaan 20, 1185 MC Amstelveen
Postbus 74105, 1070 BC Amsterdam
Telefoon +31(0)20 6568103, Telefax +31 (0)20 6568388
E-mail: [email protected]
Internet: www.kpmg.nl/irm
© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.
12