Professional Documents
Culture Documents
Agenda
3. Enterprise Security Requires a Truly Integrated Approach . . . that links organizational, technical, administrative and physical security to a strategic combination of IT architecture, business drivers and processes, legal requirements, threat scenarios and design.
The risks are enormous and internal and external pressure continues to mount
Effective management of information security risks using a framework can drive better business and IT decisions and achieve better results. It can:
4
Avoid audit by checklist Ensure information integrity, availability and confidentiality Avoid fraud or loss of confidence Reduce compliance liability Reduce IT inefficiencies Enhance productivity and quality Protect IT assets Align IT programs with business objectives Improve customer service and responsiveness Leverage risk to support competitive opportunities Enhance and protect the Brand Reduce cost
Deloitte & Touche LLP and affiliated entities.
Escalating Costs
Compliance Liability
Unprotected Assets
Risks
Business Liability
Measurement of security compliance is often based on an audit driven scorecard vs. a risk driven scorecard
The traditional control implementation approach often does not address the needs
Legal, regulatory and general business
risk requirements are not consistently applied by business segments and departments
Requirements Reporting
Security Security
strategies often dont take into account operational realities or provide reasonable options policies and procedures are often created in a vacuum or solely based on Best Practices updated when system changes occur
Enterprise
Strategies
Operations Maintenance
Point Solution Approach IT management oversight without appropriate executive management support IT functional stove-pipes and lack of executive management visibility One-off fixes that are not integrated or leveraged as longterm investments Focused on solving immediate problems which will most likely recur over time Increased total-cost-of-ownership and disruption from overhead, redundancies and conflicts
A sound enterprise information security strategy should have proper balance and integration with the security governance, architecture and operations
Strategy
Architecture provides technology standards, models and technologies to be leveraged by the business
Corporate Policies
What does the information security program look like? Define the Information Security Program Framework
Information Security Framework
Information Security Drivers
Business, Risk Tolerance, Legislation & Regulations
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
11
How does the information security program operate? Define the links
ISO 27001 Information Security Management System
RESILIENCE
GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning
SECURITY MANAGEMENT
ACCESS MANAGEMENT
OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management
Delivery
Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness
Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management
Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management
12
The information security program provides a reference that can be used to measure how the program operates and its effectiveness
ISO 27001 Information Security Management System
RESILIENCE
GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning
SECURITY MANAGEMENT
ACCESS MANAGEMENT
OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management
Delivery
Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness
Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management
Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
13
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
14
3. Audit
4. Enforcement
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
15
Information Security Architecture defines the solution, Operations monitors and manages the environment and Measurement provides program effectiveness reporting.
2. Operations Management
Change Management Vulnerability Management Incident Management Monitoring
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
Awareness and Training, Risk Management and Measurement round out the program
Enterprise Security Framework POV - 2005
The Information Security Architecture provides a mechanism to deliver a consistent approach to information security decisions and solutions
Conceptual (Models)
- Security Principles - Security Policies - Security Design Objectives - Threat/Risk Profile - Security Architecture Principles
User Communities Business Partners Stakeholders Trust Model Availability Security Zones Information Flow Control Security Operation, Administration, Monitoring & Compliance
Functional (Components)
- Security Standards - Security Design Decisions - Security Design Patterns (Logical) - Security Component Definition
Identity Authentication Authorization Credential Management Role Based Access Control
Confidentiality Business Continuity Backup & Recovery Non-repudiation Trusted Time Secure Storage & Destruction Physical Security
Intrusion Detection Network Access Control Network Segmentation Content Management DMZ
Logging & Monitoring Incident Management Reporting Security Operation Centre Vulnerability & Configuration Management
Physical (Nodes)
- Technical Operating Standards - Product Standards - Security Design Patterns (Physical) - Process Documents - Configuration Guidebooks - Security Node Definitions
Credentials Profiles Authorization Rules Credential Repository
Encryption Private Keys & Certificates Message Digest Digital Signature NTP
Firewalls/VPNs Switches/Routers IPS, NIDS & HIDS Anti-Spam Anti-Virus URL Filter
SIM & SEM KPIs & Dashboard Vulnerability Assessment Security Baseline
Access Management
Security Management
17
3. The principles, objectives and business requirements for information processing that an organization has developed to support its operations.
ISO 17799 presents a comprehensive set of controls considered to be best practices in information security including policies, practices, procedures, organizational structures and software functions
ISO 17799:2005
Security Policy Organizing Information Security Acquisition, Development & Maintenance Asset Management Human Resources Security Business Continuity Management Physical & Environmental Security Communications & Operations Management
Access Control
Compliance
11 Clauses
39 Objectives What It Is
146 Controls
Addresses information assets security from a riskbased perspective by way of policies and best practices. Critical component of an overall enterprise security architecture Recognized Information Security Management System Standard
19 Enterprise Security Framework POV - 2005
Definitive details or How-Tos implement security A comprehensive list of required controls to satisfy the requirements of every organization. Other controls may be required as a complement An Information Security Methodology A Technical Standard
Sarbanes-Oxley Compliance relies on COSO and CobiT to provide a structure for controls
CobiT Objectives
P O lan rg a an nd iz e A cq Im ui pl re em an en d t
COSO is the control framework of choice for SOX compliance All 5 COSO layers must be considered when evaluating internal controls
el i Su v e r pp an or d t
Control Environment
COSO Components
Risk Assessment
on Ev ito al r a ua nd te
Section 404
Section 302
Control Activities
Monitoring
20
ISO 17799 provides a more detailed control framework for information security
Provides the linkage between the information security decisions (ISO 17799) and the control objectives (CobiT)
21
Use the IT & Security Operating Framework to establish a baseline and track progression over time
RESILIENCE
GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning
SECURITY MANAGEMENT
ACCESS MANAGEMENT
OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management
Delivery
Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness
Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management
Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management
Policies, processes and standards defined and formalized across the organization
Initial
22
Repeatable
Defined
Managed
Optimized
RESILIENCE
Backup Backup && Backup & Restoration Restoration Restoration
Diversification Diversification
2 - Repeatable 3 - Defined
4 - Managed 5 - Optimized
Capability Analysis
GOVERNANCE
Executive Executive Executive Steering Steering Steering Committee Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Third Party Party Third Party Management Management Management Committee Committee Committee Performance Performance Metrics Metrics & & Incentives Incentives Risk Risk Budget Budget & & & Planning Planning
SECURITY MANAGEMENT
ACCESS MANAGEMENT
Identity Identity Identity
OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management
Delivery
Risk Risk Office Office Risk Office Management Management Management Training Training & & Training & Awareness Awareness Awareness
Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management
Certification Certification && Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management
Data Data
Application Application
Personnel Personnel
Physical Physical
23
What gets monitored gets measured, what gets measured gets managed.
24 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.
ISMS interviews Asset inventory ISMS interviews Business Impact Assessment Risk identification Risk evaluation Risk calculation ALE Assessment Control selection Control review Control implementation status Statement of Applicability
Risk Assessment
Surveillance Audits
Risk Treatment
Approve Certify
Revise Publish
RESILIENCE
GOVERNANCE
Executive Executive Steering Steering Committee Committee Architecture Architecture Architecture Definition Definition Definition Committee Committee Committee Policy Policy Policy Definition Definition Definition Committee Committee Committee Project/Portfolio Project/Portfolio Project/Portfolio Review Review Review Committee Committee Committee Third Party Third Party Third Party Management Management Management Committee Committee Committee Performance Performance Performance Metrics && Metrics Metrics & Incentives Incentives Incentives Risk Budget Risk Budget Risk Budget & & & Planning Planning Planning
ISM Compliancy
SECURITY MANAGEMENT
ACCESS MANAGEMENT
OPERATIONS MANAGEMENT
Change Change Change Management Management Management Configuration Configuration Configuration Management Management Management Vulnerability Vulnerability Vulnerability Management Management Management Incident Incident Incident Management Management Management Customer Customer Customer Support Support Support Systems Systems Systems Management Management Management
Delivery
Risk Office Risk Office Risk Office Management Management Management Training Training && Training & Awareness Awareness Awareness
Policy Policy Policy Management Management Management Risk Risk Risk Management Management Management
Certification && Certification Certification & Accreditation Accreditation Accreditation Compliance Compliance Compliance Management Management Management
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
Pre-Assessment Audit
*Discretionary* Assessment of Readiness Desk top (paper) audit ID Non-conformities Certification Audit
26
2 Business Strategy CIBC Documents Orientation Workshop Assessment Workshop Threat Landscape / Risk Tolerance Methodology & Intellectual Capital CIBC Documents Industry and Reference Standards Interviews / Workshops 5
Workshop/Interview Schedule
IT Security Standards
Review Security Program 3 (Current State) Define Enteprise IT Security Strategy 4 Requirements
Methodology & Intellectual Capital Threat/Risk Assessment Architecture Strategies Security Standards/ Models
IT Security Strategy Document IT Security Strategy 6 Interviews / Workshops Survey Information Industry Standards Legend
Existing Documents Reference Documents Project Deliverables Project Tools - IT Security Mission and requirements - Relationship to the IT Security Program - Measurements - Delineation of Responsibilities - Identify any current Gaps - Position in Security Life Cycle
IT Security Strategy
- IT Secuity Mission and requirements - Relationship to the IT Security Program - Measurements
Define Security Architecture Principles Define Security Architecture Strategy Define Security Architecture Conceptual
Interviews / Workshop
Stakeholder Input
- Statement Principle Name - Rationale - Statement Principle Name (Motivation) Implication -Rationale (Motivation) - Statement - Implication - Rationale (Motivation) - Implication
IT Security Strategy Roadmap and Next Steps - 3 Year Vision, Strategy & Organization
Functional
Interviews / Workshops
Define IT Security Architecture Framework 8 Define Security Strategy Roadmap and Next 9 Steps Completion Review
Phase I
Develop Presentation IT Security Principles Presentation
Physical
Legend
Existing Documents Reference Documents Project Deliverables Project Tools
Completion Review
Technical Framework
Reference Standard
Solution Design
The business mission and goals of the organization The long range goals for IT security The defined responsibilites and path to achieve the IT Security Vision and Mission IT Security Vision & Mission The level of risk that the organization is willing to accept Risk Tolerance Legislation and Regulatory Compliance The legislation and regulations that the organization must be in compliance with Corporate guidance that establish a basis for IT Security Principles and Policies
Business Mission TDBFG IT Security Policy Framework TDBFG IT Security Policies and Standards Corporate Policy Template Stakeholder Input IT Security Policy Decisions Policy Name - Statement Policy Name - Name - Statement Policy -Summary
- Purpose - Scope of Application - Policy - Roles & Responsibilities - Exception Management - Ownership & Change Management - Policy Review Cycle
Business Mission
IT Security Strategy IT Security Principles Motivation Implication Motivation The statements of value, operation or belief that defines the organizations overall approach to IT Security Provides guidance to the organization by translating the business objectives and tolerance for risk into structures that can be technically implemented Security Architecture Design Principles The high-level decisions that provide overall guidance to the form and definition of the IT Security Architecture IT Security Conceptual Architecture IT Security Policy Framework The outline of responsibilities and processes for policies IT Security Functional Architecture IT Security Physical Architecture The high-level view of the trust model and relationships The specification, position and relationship of the required functions The specification of the nodes that deliver the required functions
IT Security Architecture
Corporate Policies
IT Security Policies
Organization Enterprise Risk Management
Interviews/Workshops
IT Security Standards
Business Mission Reference Standards Legislation/Regulations Threats and Risks Stakeholder Input TDBFG IT Security Policy Framework IT Security Policies and Standards
IT Security Policy Framework Requirements IT Security Policy Framework Decisions IT Security Policy Framework
- Contribution to IT Security Program - Management Responsibilities and Processes
Interviews/Workshops
IT Security Policy Framework Processes Policy Name - Statement Policy Name - -Statement Policy Name - -Policy Statement
- Purpose - Rationale - Implications - Definition and enhancement - Review and approval - Management and enforcement - Position in IT Security Program
Develop Presentation
Completion Review
Develop Presentation
Completion Review
27
Corporate Policies
Operations
Audit Enforcement Monitoring & Management Measurement & Assessment
28
Security Metrics
Measure the efficiency, effectiveness, value and continuous performance improvement of the individual security process
Security Management
Mandate, Operations, Incident, Problem, Change, Configuration, Monitoring
Security Capability
Policies and standards in place to define responsibilities, behaviors Clearly defined set of and criteria technologyindependent principles developed from the business strategy
Assurance
Auditing, monitoring, and reporting processes and controls in place to ensure they are meeting standards and are effective
Evolution
29 Enterprise Security Framework POV - 2005 Deloitte & Touche LLP and affiliated entities.
Questions?
Glen Bruce, glebruce@deloitte.ca
30
Presentation Name
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,100 people in 47 offices. Deloitte operates in Qubec as Samson Blair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.