William List www.gammassl.co.uk w.list@ntlworld.com

Transcription

Security - Who is in
charge? - The users?
Or the system?
William List
www.gammassl.co.uk
w.list@ntlworld.com
©Wm. List & Co, Gamma Secure Systems Limited, 2004
Agenda
Q Introduction
Q Fast Track ISMS
Q Internal Control and
Corporate Governance
Q Results
Q Time Metrics
Q Risk Treatment Plans
Q An Exercise
Q Summary and
conclusions
Q Overview of the 7799
Standards
Introduction
We all live in an insecure
world
Nothing is really secure
Old Threats
Q Breakdowns
Q Mistakes
Q Thieves
Q Fraudsters
Q Terrorists - bombers
Q Acts of God - flood, fire, etc
New Threats
Q Hackers - spammers
Q Viruses
Q Impersonation - pfishing
Q Bugs and gremlins in the systems
Traditional Solution
Secure the perimeter of the computer
(system)
And elsewhere for
E-Commerce
e-Business Structure
Customer
WWW
Call Centre
Shop Front
Internet Technology (delivery platform)
Kiosk
Work
Flow
CRM
Profile
Middleware
Marketing
Distribution
Finance
Sales
Service
TYPICAL EC ARCHITECTURE
Content
building
tools
Product
Catalog
Database &
Data
warehousing
Internet
Mainframe
Accounting
Fulfillment
ERP
ERM
EDI
Consumer
Browser
Router
E-Commerce
server
Web Server
Merchant A/C
Authorisation &
Settlement Server
Issuing
Bank
Consumer A/C
Acquiring
Bank
Three Tier Architectures
Backend Layer
Mid-tier Layer
Web Server Layer
E-Commerce
servers
Internet
Loadbalancing
DNS
Mainframe
Router
ERP
Syustem
Analysis and
decision support
interface
Catalog Database
And we must remember
that the programs are
(heavily) patched
and may be unstable
What is the system doing?
QIs it right?
QIs it authorised?
QCan I find out?
So what are we told?
Q Rogue users compromise security
Q Emails contain bad things
Q Boards must be involved
Internal Control &
Corporate Governance
Internal Control is an old
concept
What is Internal Control?
Q Way in which management deploys resources to
achieve the organisation's objectives
Q Two basic parts:
¾Procedures to perform the work necessary to
conduct the organisations business
(operational procedures)
¾Procedures to ensure that the business is
conducted as expected (controls)
Q It is this second part that concerns us today
Audit Practice Board
Q This is their advice:
Mission
Mission
Business
BusinessObjectives
Objectives
Business
BusinessRisks
Risks
Applicable
ApplicableRisks
Risks
Internal
InternalControls
Controls
Review
Review
Risks – a Taxonomy
Q Following Basel II
Applicable Risks
Q and non-applicable risks
Controls – Fundamentals
“… detect the event in
sufficient time to do something
positive about it… “
Types of Control
Q Preventive
¾ Either prevent the event from occurring or affecting the
organisation, or
¾ Detect the event as it happens and prevent any further activity
that may lead to an impact
Q Detective
¾ Identify when some event, or events have occurred … and
invoke appropriate actions to arrest (or mitigate) the situation
Q Reactive
¾ Identify that the impact has occurred and invoke appropriate
actions to recover (or mitigate) the situation
Why Corporate Governance
Q … a result of scandals … investing public … being
"ripped off" … conduct of senior executives
¾ South Sea Bubble, Kruger, Salad Oil company, Equity
funding, Polly Peck, Maxwell Pensions, Enron,
WorldCom …
Q New laws/regulations … anti discrimination, privacy
protection, product quality etc.
Q Turnbull, OECD, Sarbanes-Oxley, EU directive
The OECD Principles (2004)
Q The rights of shareholders and key ownership functions
Q The equitable treatment of shareholders
Q The role of stakeholders in corporate governance
Q Disclosure and transparency
Q The responsibilities of the Board
¾ It is an important function of the board to establish
internal control systems covering the use of corporate
assets and to guard against abusive related party
transactions.
Turnbull
Q FTSE only (Yellow Book) requirement
Q IC part
Sarbanes-Oxley/EC Directive
Q An act “to protect investors by improving the
accuracy and reliability of corporate disclosures
made pursuant to the security laws, and for
other purposes”
Q Places heavy emphasis on internal control, e.g.
¾ §404 (a) (1) state the responsibility of management
for establishing and maintaining an adequate internal
control structure and procedures for financial
reporting.
Time Metrics
The Fundamental Principle
“… detect the event in
sufficient time to do something
positive about it… “
See http://www.gammassl.co.uk/topics/time/index.html
Parameter Definition (Time)
Q Time that event occurs, TE
Q Time of detection, TD or TM
Q Time problem is fixed, TF
Q Time at which impact occurs (if not fixed), TW
Parameter Definition (Money)
Q Cost of doing business,
CBA
Q Cost of internal control,
CICS
Q Impact penalty,
Q Cost of fix,
IP
CF
Fundamental Model
P
Rev
e,
u
n
e
R
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
Cost of ICS, CICS
Fundamental Model
P
Rev
e,
u
n
e
R
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
Cost of ICS, CICS
Fundamental Model
P
Rev
e,
u
n
e
R
Cost of ICS, CICS
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
TW
Fundamental Model
P
Rev
e,
u
n
e
P
R
Cost of ICS, CICS
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
P
TW
Fundamental Model
P
Rev
e,
u
n
e
P
R
Cost of ICS, CICS
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
P
TW TM
Fundamental Model
P
Rev
e,
u
n
e
P
R
Cost of ICS, CICS
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
P
TW TM TF
Fundamental Model
P
Rev
e,
u
n
e
PP
R
Cost of ICS, CICS
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
TW TM TF
P
Fundamental Model
P
Rev
e,
u
n
e
R
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
Cost of ICS, CICS
Fundamental Model
P
Rev
e,
u
n
e
R
Cost of ICS, CICS
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE
TW
Fundamental Model
P
Rev
e,
u
n
e
R
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE TD
TF TW
Cost of ICS, CICS
Fundamental Model
P
Rev
e,
u
n
e
R
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE TD
TF TW
Cost of ICS, CICS
Fundamental Model
P
P
Rev
e,
u
n
e
R
Money (£)
ies, C BA
t
i
v
i
t
c
ess a
n
i
s
u
b
f
Cost o
Time
TE TD
TF TW
Cost of ICS, CICS
Continuum of Classes
Class Ability to detect the event and take
recovery action
Type
1
Prevents the event, or detects the event as it
happens and prevents it from having any impact
Preventive
2
Detects the event and reacts fast enough to fix it
well within the time window
Detective
3
Detects the event and just reacts fast enough to fix
it within the time window
4
Detects the event but cannot react fast enough to
fix it within the time window
5
Fails to detect the event but has a partially deployed
BCP
6
Fails to detect the event but does have a BCP
7
Fails to detect the event and does not have a BCP
Reactive
Risk Treatment
Plans
What is a Risk Treatment Plan?
Q Risk Treatment: treatment process of selection and
implementation of measures to modify risk [ISO Guide
73]
Q Identification of risk
Q Prevention of occurrence
Q Detection of occurrence
Q Limitation of Impact
Q Recovery
What is a Good Risk Analysis?
Q The senior management, as a whole can
¾ understand the risks
¾ together participate in determining optimum countermeasures to risk
¾ allocate the overall ‘control’ spend to various risks across the whole business
Q All staff concerned with design, implementation or
performance of controls
¾ to understand why the control is necessary
¾ to determine when an implementation of a control fails to meet its objective
¾ to understand how failures in a control are detected
Q Enables prompt revisions to be undertaken as
circumstances change or incidents occur
Q NOTE The risk analysis can be in tiers if complex
Traditional risk analysis
Q Identify
¾Assets
¾Threats
¾Vulnerabilities
¾Probability of incident occurring
Q Estimate risk factor
¾Value of loss if risk occurs
¾Probability of risk occurring
¾Complex mathematics
Who knows
Q All the threats - or their urgency
Q All the vulnerabilities - in purchased software
Q What are probabilities of occurrence
Q So 9/11
DO THE BOARD
UNDERSTAND
THE RESULTS?
There must be
a better way to
explain the
risk treatment plan
Suppose we start with
what worries people
Worries
No Sales
No Money
IT failed
Fraud
Regulators
Bad press
Info all to pot
Wrong product
Competitors
Too expensive
No bribes
My Customers have not paid me
Why not?
Bad work
Did not deliver
Did not Invoice
Customer broke
How to address worries
Q Identify what they are
Q Try to prevent
Q Detect if materialised
Q Limit impacts
Q Recover
Recording the RTP
Q Tell the story:
¾ How I planned to save the business
Q For example:
¾ My airplane is broken - far away
¾ Impacts
Safety for crew and passengers
Customer satisfaction
Additional costs
Q This happen to us on BA 122 on
22nd November 2003 – read the
Time Paper
Stylised RTPs
Q Business driven risk assessment/ treatment using
events and impacts Æ making it all worthwhile
Event
Organisation
Specific
Common (but treatment
might be different!)
•Aircraft broken down
•Bagage handler strike
•Theft
•Acts of God
•Regular Fraud
•IT failure
•Hacking
•etc
Stylised RTPs
Q Business driven risk assessment/ treatment using
events and impacts Æ making it all worthwhile
Impacts
•Adverse press coverage
•Questions in parliament
•Court action against org
•Failure to prosecute
•Unanticipated costs
•etc
Method
Q One RTP per event
Q Describe event
Q List assets that might be
affected
Q Document, order
applicable impacts
Q List applicable threats
Q Repeat until all impacts
dealt with, and residual
risk is acceptable:
¾ How can it happen?
¾ Do I prevent it?
¾ How do I detect it?
No preventive measure or
Preventive measure fails
or
Didn’t know it could
happen that way
¾ How do I fix/recover?
Overview of the
7799 Standards
ISO/IEC 17799 and BS7799-2
Q BS 7799 Part 2 is a
management standard –
e.g. let’s party. Part 2
tells you what to do
Q IS 17799 is a super-
market of good things
to do
Q Certification is against Part
2 – is the party OK?
Effective
Security in
tune with
the
business
BS 7799-2:2002
Scope •
Policy •
Risk Assessment (RA) •
Risk Treatment Plan (RTP) •
Statement of Applicability (SOA) •
•ISMS Improvements
•Preventive Action
•Corrective Action
Operate Controls •
Awareness Training •
Manage Resources •
Prompt Detection and Response to Incidents •
•Management Review
•Internal ISMS Audit
ISO/IEC 17799:2000
Provides guidance under 10 major headings
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Security Policy
Security Organisation
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operational Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
Linking the Two Standards
Q The Statement of Applicability (SOA):
“a document describing the control objectives and
controls that are relevant and applicable to the
organization’s ISMS, based on the results and conclusions
of the risk assessment and risk treatment processes”
Q It is a certification requirement (EA7/03)
Why is it Important?
Q You have to say, for all 127 ISO/IEC 17799 controls,
whether they are applicable or not
Q If YES, why (with reference to risk assessment)
Q Important because everyone uses the same laundry list
A Practical Implementation
Policy
Policy statements
statements
(could
(couldbe
beimposed
imposed
by
byhigher
higherauthority)
authority)
Risk
Risk assessment
assessment
risk
risk treatment
treatment plan
plan
Link backs
normative
A.x.x.x Clause
YES, policy xyz, events, abc
see reference
A.x.x.y Clause
N/A reason
informative
Link forward
to procedure
manuals etc.
Fast Track ISMS
The Vital Ingredients
Q Role Model
Q Skeleton ISMS Manual
Q The event-impact driven RTPs (as previously
discussed)
Q Classroom and on-the-job training
Q Various quality assurance activities
Role Model
Q Information Security Forum (ISF)
Q ISMS Administrator
Provide feedback
Provide feedback
Set Civil Servicewide policy
Q Internal ISMS Auditor
ISF
Provide feedback/
request policy
enhancements
Policy
Makers
Direct
Advise
Owns/looks after
Q ISMS Trainer
Owns
Internal
ISMS
Auditors
Q ISMS Advisor
Provides
management
information
ISMS
Administrator
Advise
ISMS Advisor
Manages
Advise
Audit
Q Certification Auditor
Information
users
ISMS
Certification
Auditors
Use
Certify
Instruct and monitor
Q Policy Maker
Acts to reduce risk
to acceptable level
Information
Skeleton ISMS Manual
Parts for you to
complete
Checklists
Covers every requirement
of BS7799-2:2002
Contents
Q Pages associated with the
whole PDCA cycle
Q Facility for including training
and awareness
Q Built-in facility for document
control
Q Internal ISMS audit proforma
and checklist
Q Space to define ISMS scope
and context
Q Management system review
checklist
Q Prototype ISMS policy
Q Procedures for corrective
action etc.
Q Provision for RTPs
Q Virtually complete SOA (with
built-in hyperlinks to policy
statements and standard
events)
Q To-Do-List and associated
procedures
Q Compliance index
The “To-Do-List”
Q BS 7799-2 is a management standard – so is
internal control
Q Management processes must be in place, but
new security processes may be required because
risks change
Q At any point in time:
¾Existing security procedures in place
¾Newly identified ones still-to-do
Q Managed using a “To-Do-List”
The “To-Do-List”
Q BS 7799-2 is a management standard – so is
internal control
Q Management processes must be in place, but
new security processes may be required because
risks change
Q At any point in time:
¾Existing security procedures in place
¾Newly identified ones still-to-do
Q Managed using a “To-Do-List”
Results
Some Results
Q UK Logistics Company
¾ Initial development of
Skeleton
¾ First application of eventimpact driven RA/RTPs
¾ Engaged Board
¾ MD in control
Q UK start-up
¾ Up to speed in a day
¾ 2 day brainstorm for RTPs
¾ First BSI visit in September
Q Government of Mauritius
¾ 4 sites “attested” by MSB
¾ Chiefs empowered
¾ Rollout to all other
departments
Principle can be extended
Q Overall ICS
Q Including
¾ISO 9000
¾Financials
¾General management issues
Now an audience
participation exercise
Identity Cards
Summary and
Conclusions
Computers help people
Q PCs, mobile phones, mainframes, servers etc
Q Could we do without them?
¾Volume of transactions
¾Speed of communications
Q Criminals are businesses too
Summary
Q Information security part of
internal control
Q Time metrics key to effectiveness
Q Event-impact driven RA/RTPs key
to Board engagement
Q Hypertext, web-technology
Skeleton key to rapid
development
Q Certification successes bear this
out
Effective
Security in
tune with
the
business
Security - Who is in
charge? - The users?
Or the system?
William List
www.gammassl.co.uk
w.list@ntlworld.com

William List www.gammassl.co.uk w.list@ntlworld.com

Transcription

Similar documents

Meal Aktiv Fritid – ut på tur

Gamma Alpha Chapter News

Infinite Edge ParOOon Models for Overlapping Community

EXPANDING THE GAMMA FUNCTION NEAR ITS NEGATIVE

MLK YA UPCF program - Gamma Gamma Lambda Chapter

welcome to our - Synergy Health

Teambuilding Aktiv Fritid - Aktiv Fritid

meet the other side of the interface encourage people to