Transcript Security Break Out - Indian Banks' Association

Security and Compliance
Manish Sethi
Head Security Solutions Datacraft
Agenda
1 Security Today
2 Disappearing Boundaries
3 Compliance Landscape
4 Challenge to Compliance
5 Why Security Metrics
6 Automation of Compliance
7 The dashboard approach
Disappearing boundaries
… from castles
before …
today …
Outsourcing
The Bank
Joint ventures
Agency
agreements
to airports …
Consultants
Another
enterprise
The Bank
Trusted
relationships
Collaboration
Technology
partnerships
Consistent mistakes
1. Equating compliance with security
2. Failure to track key security metrics
3. Authorising reactive short-term fixes
4. Failure to protect Laptop and Home computers
5. Failure to institute effective change management
6. Failure to implement a defence-in-depth strategy
7. Failure to implement a vulnerability management strategy
8. Failure to get executive support for your security program
9. Failure to realise that traditional perimeter security is dead
10.Underestimating the costs of “catching up when the need arises”
11.Failure to recognise importance of security awareness programs
12.Thinking that security is in the scope of your outsourcing contract
13.Assign untrained people in unorganised fashion to maintain security
14.Thinking that security is only a technology or IT department problem
15.Thinking that “we can’t be held legally liable for lax information security”
16.Failure to understand the relationship of IT security to the business process
17.Failing to realise the value of their information and organisational reputation
18.Failure to realise that viruses, Spam and spyware are a BC issue and not just a nuisance
Source : Dimension Data CxO Assessment
Security landscape – Attack dynamics
Attack targets
Attack Types
50%
100%
40%
80%
30%
60%
20%
40%
10%
20%
0
0
Operating
systems
E-mail
Known
applications
Unknown
applications
Spyware
New targets
Hackers are looking beyond the operating system to gain access to computers, and they're
increasingly targeting Web browsers, e-mail clients and other applications and client software
Vulnerabilities have been discovered recently in Apple Computer's iTunes, RealNetworks'
RealPlayer, Microsoft's Internet Explorer, Mozilla Foundation's Firefox, various Oracle
applications, enterprise data-backup software from Computer Associates and Veritas and
Cisco’s IOS
Security Landscape – 4 of 13
Viruses
and worms
Phishing
DoS
14,000 schemes
launched each month
with 5% hit rate
Web
scripting
Regulations : Financial Institutions, Insurance,
 Operational risk management, fraud detection and
anti money laundering are major areas of concern
 Some of the key drivers for IT Compliance in Banks
 Internet Banking
 Electronic Clearing Services (ECS)
 E- Services – Bill Payment, Online Purchase
through Debit / Credit Cards
 Stringent Basel II made mandatory by RBI to
implement by 2007
 SEBI have been issuing various
guidelines to enterprises for ensuring compliance
for addressing SEBI Clause 49
Impact
Impact of Non-compliance
 Severe Penalties
 Monetary penalties
 Company liabilities
 Personal liabilities (responsibility of individual)
 Reduction in compatibility (level of compliance) as
compared to peers (competitors)
 Processes & procedures interaction
 Information exposure
 Ability to meet litigation demands
 Company reputation and
 Market (business) at stake
Key To Success – Frequent Auditing
Success
Factors
Laggards
(23%)
Norm
(67%)
Leaders
(10%)
Freq of internal audits
8 Months
7 Months
1 Month
IT time on compliance
16%
25%
30%
IT budget on security
4.5%
7.4%
12.7%
# of overall deficiencies
75
30
20
# of significant deficiencies
33
6
2
Leaders are 15x better because they do more audits…
…But they spend 3x more because they lack automation
Challenges in being Compliance - To Sustain
 Time and Cost
 Manual and inefficient processes
 Redundant or ineffective IT controls
 Explosive data growth/expanding retention periods
 Inconsistency and De-centralization
 No standardized processes
 Fragmented IT testing efforts
 Measurement and Reporting
 Processes not auditable
 Issues with timeliness and accuracy
 Complexity
 IT infrastructure
 Multiple regulations to address
simultaneously
The challenge of measuring Security
There are three kinds of lies:
Lies, Damn Lies, and Statistics
George Campbell – CSO Emeritus Faculty
Security Metrics
…is not about numbers
It really is about
measuring performance
of Security’s programs
George Campbell – CSO Emeritus Faculty
Copyright © 2005 CSO Executive Council -- All Rights Reserved
Metrics Program
Focuses on three distinctly interrelated processes
•Financial
Performance
•Customer
Focus
•Operational
Excellence
•Business
Process Maturity
Security
Balanced
Scorecard
Metrics
Security
Baseline
Security
Operational
Metrics
•ISO17799
•COBIT
•NIST
•NFPA 1600
•Common practices
as they evolve over
time
•Numerous, comprehensive and relatively static
•Derived from the security baseline
•Use to improve security processes
Copyright © 2005 CSO Executive Council -- All Rights Reserved
The CxO Security Assessment : Banking Security
Benchmarking
A facilitated, self-assessment on current security posture
A weighted, quantitative
assessment
Low cost, high value, “instant
gratification”
Covers over 150 best practices
One-day workshop
Best practices –
ISO 17799, ISA, ISF, CSI, TechNet,
CobiT, NIST, SANS, Gartner, IDC
Risk management
Governance
People
Processes
Organisation
Technology
Information Security Management Dashboard
Detailed CXO Scorecard
CXO Benchmarking
Audit Automation
Compliance Audit Automation
 Addresses the following:
 Need to achieve continuous & proactive security
strategy
 Automatically detects vulnerabilities in Systems & Network
 Need to know changes in system for compliance
 Detects deviation from security policies in mission critical
systems and servers
 Compliance reporting for deviations
 Need to have baseline configuration for performance
measurement of their security programs and to enforce
change management methodology.
 Create baselines for every system in the network
Compliance Audit Automation
 Key Benefits




Resource optimization
Higher assurance of Compliance
Reduce risk of threats due to vulnerabilities in systems
Enforcement of Change Management process
Enterprise Manager
Allows us to measure compliance over time
Compliance Audit Automation
 Case Studies
 Large MNC Financial Bank (Regional Deployment)
 Assurance to compliance (Due-Diligent)
 Reduce the need for onsite audit
 Speed of audit
 Large BPO in India
 Mitigation of risk of information exposure due to
vulnerabilities in systems
 Provide constant assurance of compliance to their
end-customers
Compliance Reporting & Data
Archival
Any compliance requires : Specific Systems of
Control over Financial Data
Malicious Code Detection
RealTime Monitoring
Spyware detection
Troubleshooting
Access Control Enforcement
Configuration Control
Privileged User Management
Lockdown enforcement
Unauthorized
Service Detection
False Positive
Reduction
IP Leakage
Web server
activity logs
User Monitoring
Switch logs
VA Scan logs
Windows
domain
logins
Windows logs
Web cache & proxy logs
Content management logs
IDS/IDP logs
Router logs
VPN logs
Firewall logs
Wireless
access
logs
Oracle Financial
Logs
Mainframe
logs
Linux, Unix,
Windows OS logs
Client & file
server logs
DHCP logs
San File
Access
Logs
VLAN Access
& Control logs
Database Logs
Compliance reporting & Data Archival
A Platform for
Compliance &
Security
Operations
Compliance Reporting & Data Archival
Compliance reporting & Data Archival
 In Brief
 Help manage soaring data volumes, ensuring storage and
data access meet regulatory compliance
 Helps automate compliance reporting
 Organizations can strategize now for a platform to integrate
future compliance initiatives.
Compliance Reports
Features
 Operational and Executive Compliance
Reports
 Addresses specific sections regulations
such as Sarbanes-Oxley, HIPAA,
FISMA, and GLBA.
 Compliance Reports are Customizable
Benefits
 Create a timely, prioritized view of
threats against compliance asset
 Measure the effectiveness of
compliance initiatives over time
 Customizable compliance reports
monitor controls unique to an
organization
Compliance reporting & Data Archival
 Address the following:
 Need to fulfil regulatory compliance and audits
reporting
 Automates the process of collecting, performing analysis
and reporting on data from systems and network devices
 Need to have secure data retention/archival
 Securely store collected data for forensics, future
retrieval & compliance to data retention regulations
 A need to perform better resource allocation and
more efficient incidence response
 Data collected are analyzed/correlated to generate alerts
for escalations
Compliance reporting & Data Archival
 Key Benefits
 Automates the collection and secure storage of device
logs for security management and compliance
 Provide compliance reporting at your finger-tip
 More efficient incidence response procedure
 Provide more in-depth and quicker analysis/correlation
of collected device logs
Compliance reporting & Data Archival
 Case Studies
 Local trading house
 Compliance reporting
 Automate the collection of crucial device logs
 Large MNC Financial Institution (Regional Deployment)
 Compliance reporting
 More efficient incidence response procedure
 Archival of collected device logs for quicker analysis
 Local Service Provider
 More efficient incidence response procedure
 Integrated to Datacraft Trouble-Ticketing system for
round the clock monitoring (Compliance Driven)
The role of IT in Compliance – Cost Control
 IT automation help to reduce cost of Compliance





Reduces mandate task
Increase efficiency
Better resource management
Higher level of assurance
Take away Business pain-points and sleepless nights
Security program as an after thought or
part and parcel (Automation Vs Manual Patch work)
becomes …
Looking Ahead – 4 of 8
Thank You
[email protected]