The Fall of Information Security

1
The Fall of Information Security

• The Rise Of Audit
• Based Information Security
• John Verry
• April 18, 2005
• Brookhaven National Labs

2
Compliance is King

• Information Security is no longer about network
  security
• Regulatory Bodies are dictating the way that we
  conduct our operations HIPAA, Sarbanes Oxley,
  FISMA, California SB-1386, GLBA, FDA CFR21 Part
  11, Check 21, etc.
• Information Security is about being COMPLIANT !

3
Why Compliance? Why Now?

• COSO stems from 1980s SL Crisis
• Sarbanes Oxley stems from Enron, Worldcom,
  Anderson debacles
• Because we are doing a lousy job of protecting
  critical information

4
Consider The Last Few Months

• Bank of America - 1,200,000 records (Federal
  Employees, even US Senators!)
• LexisNexis - 310,000 records
• Ralph Lauren - 180,000 records
• ChoicePoint - 150,000 records
• DSW Shoe Warehouse - 145,000 records (750
  confirmed fraud cases)
• Las Vegas DMV - 9,000 records

5
Its Not a Technology Problem

• Bank of America - Lost data tapes possibly
  stolen by commercial air baggage handlers
• LexisNexis - Social Engineering (fraud),
  unspecified breakdown of internal customer
  credentialing process
• Ralph Lauren - Not specified yet, but associated
  with a US-based retailer, according to
  MasterCard
• ChoicePoint - Social Engineer Fraud via forged
  documents such as business licenses, thieves
  became a ChoicePoint customer and gained access
  to customer data
• DSW Shoe Warehouse - Traditional technology
  hack details not disclosed
• Las Vegas DMV - Physical break in/theft of
  computer containing 3 months worth of drivers
  license data (SS , photo, signatures, names,
  age, etc.)

6
Its Here to Stay - s Power

• InfoSec Vendors are evolving products (buying
  compliance blue paint)
• Big 4(?) are paradoxically benefiting from
  regulations aimed against them
• Shift in power to PCAOB, CMS, SEC which are all
  ramping up
• We continue to shoot ourselves in the foot
• The trend line is UP

7
Audit Based InfoSec (ABIS)
8
Implications for IT Personnel

• Governance moves from buzz to reality meet the
  CFO
• Traditional Infosec Practioners join the
  Federal Endangered Species List
• Learn a new language (COBIT)
• Begin with the end in mind Covey
• Good News its all Common Sense

9
Audit Based IS - Detail
10
ABIS IT Objectives

• Objectives Specific to IT
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability

11
Audit Based IS vs. IS
12
Audit Based IS ROSI
13
Impact for Management

• Information Security Environments need to be
  architected to hold up across multiple regulatory
  compliance frameworks
• Focus on bringing value to the organization
• Checklist Mentality will kill you
• Adopt an Internal Control Framework (e.g., COBIT)
• Initial complexity will provide n-fold payback as
  you leverage the work of others
• Take a Risk Based Approach
• Monitoring and Independent Validation are a must

14
Impact for IT Management

• Defense in Depth has changed
• Previous Model was largely premised on product
  layers
• Router ACL, Perimeter Firewall, Desktop IPS
• New Model is largely premised on Control Layers
• Managerial Control, Operational Control,
  Technical Control
• Policy, Procedure, Standard
• The key is to work from the Core
• (Risk Regulatory Compliance Strategic
  Business Objectives IT Strategy) Drive Control
  Objectives
• Control Objectives Drive Policy
• Policy Drives Procedure
• Procedure Drives Standards

15
Impact for IT Management

• More emphasis on Detect Controls
• Monitoring Compliance Tools are the rage
• Security Event Management gets a new coat of
  paint (and is salvaged from the IDS stigma)
• Awareness, Forensics, and Compliance from a
  single data source
• More emphasis on non-technical Prevent Controls
• Security Awareness Training
• Risk Assessment
• More emphasis on Managerial and Operational
  Controls
• SDLC is no longer a four letter word
• Technology Oversight Committees play a greater
  role
• Internal Audit is showing up at a lot more
  meetings

16
Impact for FSGI (?)

• Partner relationships are held to greater
  scrutiny
• Your control environment is your clients control
  environment
• Increasingly likely that you meet your clients
  Auditors
• Request for Audit Reports (SAS-70 equivalent)
• Your relationship becomes more formal
• Sign-off on Policies, Procedures, Standards
• Sign-in/Sign-Out
• Remote Access meets standards
• Personnel held to same standards as employees
• Your Personnel need more training
• General Security Awareness
• Specific Regulatory Training based on client and
  or Systems served
• Health Care (F5000)-- HIPAA
• Public Sarbanes
• Pharma CFR 21.11
• Many SB 1386
• Gov FISMA

17
Open QA

• Presentation was intended to stimulate exchange
• Resources
• www.itgi.org
• www.isaca.org
• www.sans.org
• www.audit.net
• www.aicpa.org
• jverry_at_pvtpt.com