Security Break Out - Indian Banks' Association
Download
Report
Transcript Security Break Out - Indian Banks' Association
Security and Compliance
Manish Sethi
Head Security Solutions Datacraft
Agenda
1 Security Today
2 Disappearing Boundaries
3 Compliance Landscape
4 Challenge to Compliance
5 Why Security Metrics
6 Automation of Compliance
7 The dashboard approach
Disappearing boundaries
… from castles
before …
today …
Outsourcing
The Bank
Joint ventures
Agency
agreements
to airports …
Consultants
Another
enterprise
The Bank
Trusted
relationships
Collaboration
Technology
partnerships
Consistent mistakes
1. Equating compliance with security
2. Failure to track key security metrics
3. Authorising reactive short-term fixes
4. Failure to protect Laptop and Home computers
5. Failure to institute effective change management
6. Failure to implement a defence-in-depth strategy
7. Failure to implement a vulnerability management strategy
8. Failure to get executive support for your security program
9. Failure to realise that traditional perimeter security is dead
10.Underestimating the costs of “catching up when the need arises”
11.Failure to recognise importance of security awareness programs
12.Thinking that security is in the scope of your outsourcing contract
13.Assign untrained people in unorganised fashion to maintain security
14.Thinking that security is only a technology or IT department problem
15.Thinking that “we can’t be held legally liable for lax information security”
16.Failure to understand the relationship of IT security to the business process
17.Failing to realise the value of their information and organisational reputation
18.Failure to realise that viruses, Spam and spyware are a BC issue and not just a nuisance
Source : Dimension Data CxO Assessment
Security landscape – Attack dynamics
Attack targets
Attack Types
50%
100%
40%
80%
30%
60%
20%
40%
10%
20%
0
0
Operating
systems
E-mail
Known
applications
Unknown
applications
Spyware
New targets
Hackers are looking beyond the operating system to gain access to computers, and they're
increasingly targeting Web browsers, e-mail clients and other applications and client software
Vulnerabilities have been discovered recently in Apple Computer's iTunes, RealNetworks'
RealPlayer, Microsoft's Internet Explorer, Mozilla Foundation's Firefox, various Oracle
applications, enterprise data-backup software from Computer Associates and Veritas and
Cisco’s IOS
Security Landscape – 4 of 13
Viruses
and worms
Phishing
DoS
14,000 schemes
launched each month
with 5% hit rate
Web
scripting
Regulations : Financial Institutions, Insurance,
Operational risk management, fraud detection and
anti money laundering are major areas of concern
Some of the key drivers for IT Compliance in Banks
Internet Banking
Electronic Clearing Services (ECS)
E- Services – Bill Payment, Online Purchase
through Debit / Credit Cards
Stringent Basel II made mandatory by RBI to
implement by 2007
SEBI have been issuing various
guidelines to enterprises for ensuring compliance
for addressing SEBI Clause 49
Impact
Impact of Non-compliance
Severe Penalties
Monetary penalties
Company liabilities
Personal liabilities (responsibility of individual)
Reduction in compatibility (level of compliance) as
compared to peers (competitors)
Processes & procedures interaction
Information exposure
Ability to meet litigation demands
Company reputation and
Market (business) at stake
Key To Success – Frequent Auditing
Success
Factors
Laggards
(23%)
Norm
(67%)
Leaders
(10%)
Freq of internal audits
8 Months
7 Months
1 Month
IT time on compliance
16%
25%
30%
IT budget on security
4.5%
7.4%
12.7%
# of overall deficiencies
75
30
20
# of significant deficiencies
33
6
2
Leaders are 15x better because they do more audits…
…But they spend 3x more because they lack automation
Challenges in being Compliance - To Sustain
Time and Cost
Manual and inefficient processes
Redundant or ineffective IT controls
Explosive data growth/expanding retention periods
Inconsistency and De-centralization
No standardized processes
Fragmented IT testing efforts
Measurement and Reporting
Processes not auditable
Issues with timeliness and accuracy
Complexity
IT infrastructure
Multiple regulations to address
simultaneously
The challenge of measuring Security
There are three kinds of lies:
Lies, Damn Lies, and Statistics
George Campbell – CSO Emeritus Faculty
Security Metrics
…is not about numbers
It really is about
measuring performance
of Security’s programs
George Campbell – CSO Emeritus Faculty
Copyright © 2005 CSO Executive Council -- All Rights Reserved
Metrics Program
Focuses on three distinctly interrelated processes
•Financial
Performance
•Customer
Focus
•Operational
Excellence
•Business
Process Maturity
Security
Balanced
Scorecard
Metrics
Security
Baseline
Security
Operational
Metrics
•ISO17799
•COBIT
•NIST
•NFPA 1600
•Common practices
as they evolve over
time
•Numerous, comprehensive and relatively static
•Derived from the security baseline
•Use to improve security processes
Copyright © 2005 CSO Executive Council -- All Rights Reserved
The CxO Security Assessment : Banking Security
Benchmarking
A facilitated, self-assessment on current security posture
A weighted, quantitative
assessment
Low cost, high value, “instant
gratification”
Covers over 150 best practices
One-day workshop
Best practices –
ISO 17799, ISA, ISF, CSI, TechNet,
CobiT, NIST, SANS, Gartner, IDC
Risk management
Governance
People
Processes
Organisation
Technology
Information Security Management Dashboard
Detailed CXO Scorecard
CXO Benchmarking
Audit Automation
Compliance Audit Automation
Addresses the following:
Need to achieve continuous & proactive security
strategy
Automatically detects vulnerabilities in Systems & Network
Need to know changes in system for compliance
Detects deviation from security policies in mission critical
systems and servers
Compliance reporting for deviations
Need to have baseline configuration for performance
measurement of their security programs and to enforce
change management methodology.
Create baselines for every system in the network
Compliance Audit Automation
Key Benefits
Resource optimization
Higher assurance of Compliance
Reduce risk of threats due to vulnerabilities in systems
Enforcement of Change Management process
Enterprise Manager
Allows us to measure compliance over time
Compliance Audit Automation
Case Studies
Large MNC Financial Bank (Regional Deployment)
Assurance to compliance (Due-Diligent)
Reduce the need for onsite audit
Speed of audit
Large BPO in India
Mitigation of risk of information exposure due to
vulnerabilities in systems
Provide constant assurance of compliance to their
end-customers
Compliance Reporting & Data
Archival
Any compliance requires : Specific Systems of
Control over Financial Data
Malicious Code Detection
RealTime Monitoring
Spyware detection
Troubleshooting
Access Control Enforcement
Configuration Control
Privileged User Management
Lockdown enforcement
Unauthorized
Service Detection
False Positive
Reduction
IP Leakage
Web server
activity logs
User Monitoring
Switch logs
VA Scan logs
Windows
domain
logins
Windows logs
Web cache & proxy logs
Content management logs
IDS/IDP logs
Router logs
VPN logs
Firewall logs
Wireless
access
logs
Oracle Financial
Logs
Mainframe
logs
Linux, Unix,
Windows OS logs
Client & file
server logs
DHCP logs
San File
Access
Logs
VLAN Access
& Control logs
Database Logs
Compliance reporting & Data Archival
A Platform for
Compliance &
Security
Operations
Compliance Reporting & Data Archival
Compliance reporting & Data Archival
In Brief
Help manage soaring data volumes, ensuring storage and
data access meet regulatory compliance
Helps automate compliance reporting
Organizations can strategize now for a platform to integrate
future compliance initiatives.
Compliance Reports
Features
Operational and Executive Compliance
Reports
Addresses specific sections regulations
such as Sarbanes-Oxley, HIPAA,
FISMA, and GLBA.
Compliance Reports are Customizable
Benefits
Create a timely, prioritized view of
threats against compliance asset
Measure the effectiveness of
compliance initiatives over time
Customizable compliance reports
monitor controls unique to an
organization
Compliance reporting & Data Archival
Address the following:
Need to fulfil regulatory compliance and audits
reporting
Automates the process of collecting, performing analysis
and reporting on data from systems and network devices
Need to have secure data retention/archival
Securely store collected data for forensics, future
retrieval & compliance to data retention regulations
A need to perform better resource allocation and
more efficient incidence response
Data collected are analyzed/correlated to generate alerts
for escalations
Compliance reporting & Data Archival
Key Benefits
Automates the collection and secure storage of device
logs for security management and compliance
Provide compliance reporting at your finger-tip
More efficient incidence response procedure
Provide more in-depth and quicker analysis/correlation
of collected device logs
Compliance reporting & Data Archival
Case Studies
Local trading house
Compliance reporting
Automate the collection of crucial device logs
Large MNC Financial Institution (Regional Deployment)
Compliance reporting
More efficient incidence response procedure
Archival of collected device logs for quicker analysis
Local Service Provider
More efficient incidence response procedure
Integrated to Datacraft Trouble-Ticketing system for
round the clock monitoring (Compliance Driven)
The role of IT in Compliance – Cost Control
IT automation help to reduce cost of Compliance
Reduces mandate task
Increase efficiency
Better resource management
Higher level of assurance
Take away Business pain-points and sleepless nights
Security program as an after thought or
part and parcel (Automation Vs Manual Patch work)
becomes …
Looking Ahead – 4 of 8
Thank You
[email protected]