Awareness Program on Compliance in the Era of Technology - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Awareness Program on Compliance in the Era of Technology

Description:

... email ids then should we decide Facebook's 80 million records as a data ... You hack into your network to do a Vulnerability Assessment (VA), identifying ' ... – PowerPoint PPT presentation

Number of Views:166
Avg rating:3.0/5.0
Slides: 31
Provided by: SM162
Category:

less

Transcript and Presenter's Notes

Title: Awareness Program on Compliance in the Era of Technology


1
Awareness Program on Compliance in the Era of
Technology
  • ICAI, Mumbai
  • October 19, 2008

u
2
Agenda
  • Compliance Today
  • Business Risks
  • Evolving Security and Compliance landscape
  • Technology and IT value for business
  • Incidents and Security related industry
    information
  • Snapshot of Global Compliance requirements over
    time
  • Extracting Compliance ROI
  • Suggested Safeguards (unified framework)
  • Common regulatory reqmts (standards, etc)
  • The technology solution
  • Compliance spotlight PCI-DSS
  • Leverage the technology solution
  • VA/PT
  • Continuous VA and Monitoring
  • List of Tools
  • Why VA/PT
  • Web App Security, Secure Coding

3
Compliance Today
  • Organizations have numerous Compliance
    requirements which keep growing by the day / hour
    / minute !
  • Regulatory
  • Standards / Best Practice Frameworks
  • Industrial, Contractual, etc.

Much of the increase in cost is due to
duplication of regulation and ambiguous or
inconsistent rules -Securities Industry
Association, 2006
  • Technology is constantly evolving providing new
    tools and methods to tackle the increasing
    information and compliance overload

4
Compliance Today
  • Compliance with Compliance requirements takes up
    too much resources
  • Compliance initiatives are considered Projects
    (e.g. SOX / PCI project) but these are
    continuous processes (benefits are not realized)
  • Technology solutions will leverage Compliance
    efforts to enable Governance and Risk Management
    leading to Business gains (productivity,
    cost-savings)

Compliance must be part of your organization
DNA Regulatory Compliance is not just a legal
requirement but a critical business function.
5
Business Risks
What is at Risk
  • Operational risk
  • Physical damage/theft
  • Services not available
  • Market risk
  • Lost customers
  • Global partners
  • Legal risk
  • SLAs
  • Lawsuits
  • Regulatory
  • Compliance
  • Financial Risk
  • Claims and losses
  • Quantification of information assets/impact
  • Information on your network
  • Databases
  • Intellectual Property
  • Financial Information
  • Personally Identifiable Information
  • Reputation Market Value

6
(No Transcript)
7
Technology and Information Made People Smarter
  • Google
  • Luhns algorithm (to validate any credit card)
  • VB based basic key loggers
  • Web based IP tools, DNS network tools, traceroute
    etc
  • Network tools
  • Nmap
  • Nessus etc. All available online
  • Password cracking tools

8
(No Transcript)
9
Incidents (2000-2007)
  • According to Attrition Data Loss Archive and
    Database and FlowingData, following are the 10
    largest data breaches since 2000
    (http//flowingdata.com/2008/03/14/10-largest-data
    -breaches-since-2000-millions-affected/)
  • Is there a trend? Yes, numbers are growing!

10
Are we safe in 2008?
  • UK Government Depts. reported loss of 29 million
    records in last one year (August 2008)
  • Countrywide Financial Corp. possible all 2
    million records were sold (August 2008)
  • If sensitive data only includes SSNs and
    financial account data and not date of birth and
    email ids then should we decide Facebooks 80
    million records as a data breach? (July 2008)
  • Bank of New York Mellon, PA as many as 4.5
    million customer records are thought to be
    compromised (March 2008)
  • Compass Bank 1 million (March 2008)
  • Hannaford Bros. supermarket chain 4.2 million
    (March 2008)
  • Trend Numbers are still growing!

11
Some Facts
  • Who are behind these breaches
  • External sources including past employees
  • Insiders
  • Business partners
  • Multiple parties
  • How these breaches are caused
  • Business process errors or no policy/procedural
    controls
  • Hacking and intrusions including malicious code
  • System/Application vulnerabilities including for
    those patches already exist
  • Physical threats
  • Mostly
  • Victims dont know that breach has occurred or
    more often aware of the criticality of the
    data/information
  • Mostly breaches are opportunistic in nature
  • More than 90 breaches are avoidable

12
Some Insights drivers for security spend
By 2008, more than 75 of large and midsize
companies will purchase new compliance
management, monitoring, and automation
solutions. By 2009, compliance will grow to
14.2 of IT budget from 12 in 2006. Source
Gartner 2007
13
(No Transcript)
14
Common Regulatory Reqmts /Standards / Frameworks
/ Guidelines
  • HIPAA/GLBA
  • Sarbanes Oxley
  • Basel II
  • PCAOB
  • SAS 70
  • Privacy Laws (e.g.PIPEDA)
  • many more..
  • Clause 49 (SEBI Guideline, Government of India)
  • CTCL
  • ISO27001 2005
  • 133 Control objectives
  • PCI-DSS
  • 12 requirements
  • CobiT
  • NERC-CIP
  • BS25999
  • ITIL
  • Data Protection Act
  • IT Act and applicable Criminal / Civil
    legislation

15
Extracting Compliance ROI
  • Organizations must plan beyond Compliance
  • Better Security means reduced / managed risk
  • Managed (reduced) risk means better business
  • Operational efficiencies result from compliance
    efforts
  • Approach Compliance as a as a business process,
    not as requirement / overhead
  • Use learning to shorten future compliance cycles
  • Identify opportunities to build unified
    compliance ecosystem
  • Lead the organization to Industry certifications
    resulting in higher brand value
  • Eliminate the risk of penalties for
    non-compliance
  • Address multiple compliance requirements in a
    unified approach

16
Suggested Safeguards
17
Suggested Safeguards
18
(No Transcript)
19
Technology Solution
  • Systems must be developed providing a risk based
    approach that is aligned with Business,
    Regulatory and Contractual requirements
  • Leverage technology and co-ordinate Security
    spend with Compliance with the overall objective
    achieve Governance (automation)
  • Technology practices to enable proactive security
    Risk management
  • Vulnerability Assessment / Penetration Testing
    (VA/PT)
  • Web Application Security (AppSec)
  • Code Review
  • Continuous Vulnerability Management
  • Managed Security Services

20
Compliance Spotlight PCI Data Security
Standard
21
Compliance Spotlight PCI-DSS
  • Requirement 5 and 6 (Maintain Vulnerability
    Management Program)
  • Stay Current on versions (Anti Virus, Patches,
    Systems, Configuration)
  • Monitor Custom Web applications
  • SDLC (do we practice secure coding)
  • Invest in automated tools
  • Secure Audit Logs
  • Requirement 10 and 11 (Regularly Monitor Test
    Networks)
  • Monitor Systems for Intrusions and Anomalies
  • Implement Reporting and Analysis Tools
  • Centralize and Secure Data
  • ISO27001 A.15 Compliance
  • Compliance with Legal Requirements
  • Compliance with Security Policies, and standards
    and technical compliance

ISO27001 A.12.6 Technical Vulnerability
Management
22
Leverage the Technology Solution
23
Leverage the Technology Solution
Results allow the organization to compare
findings against known vulnerabilities and
prioritize remediation by implementing controls.
Provides a health report on the organization
security posture. All Standards, Regulations,
Frameworks recommend (or require) Network
Assessments as an essential practice.
Helps determine whether the controls are in fact
preventing the vulnerability from actually
endangering the network. A well-executed
penetration test can identify the most critical
holes in an organizations defensive net
including the holes exploited by social
engineering. pen tests are best used as a way to
get an extra set of eyes on a network after major
system upgrades.
24
Leverage the Technology Solution
Provides a 24 x 7 x 365 watch on network traffic
and is available as a Managed Security Service.
Traffic is monitored and events (incidents) are
correlated against updated industry Common
Vulnerability Exposure (CVE) database.
Reports are available online to client via a
web interface which will provide information
about the threat(s) and remediation plans.
25
VA/PT
Undertaken by qualified professionals
Methodology includes use of automated tools
augmented with manual skills Meet regulatory
requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.)
Organizations can realize their true security
level Measure IT security effectiveness
Identify and remediate potential breach points
reducing security risk and liability Benchmark /
baseline security posture Certifications
Certified Vulnerability Assessor (CVA) (Secure
Matrix - DNV) CEH (EC Council) CISSP
(ISC2) certifications in Forensics, Fraud
(Secure Matrix) Commonly used Tools for VA/PT
(commercial / open source) Nessus, GFI Languard
(c), Nmap Metasploit, Canvas (c), etc.
26
List of Tools (indicative)
27
Why VA/PT
  • To catch a thief.. You have to think like one.
  • You hack into your network to do a Vulnerability
    Assessment (VA), identifying vulnerabilities in
    the same manner as they may be visible to an
    intruder like open ports.
  • Following up a VA is the Penetration Test you
    are taking advantage of the vulnerabilities by
    penetrating the network.
  • When you test all IP addresses that are visible
    to the outside world you can get answers to
    sticky questions like
  • Can an intruder hop on to the conference room
    network ?
  • Is it possible for the intruder to connect to the
    database server ?
  • What can you do (that which no one wants an
    intruder to do!) ??

28
Presented by
Dinesh Bareja CISA, CISM, ITIL, IPR, ERM, BS
7799 (Imp LA) - Senior Vice President Email
dinesh_at_securematrix.in
Information Security professional, having more
than 11 years of experience in technology in
commercial, operational, functional and Project
Management roles on multiple large and small
projects in global and domestic
markets.   Experienced in establishing ISMS
(Information Security Management System),
planning and implementation of large scale CobiT
implementation, ISO 27001, Risk Management,
BCP/DR, BIA, Asset Management, Incident Mgt,
Governance and Compliance among others.   He is
also member of ISACA, OCEG, iTSMF and co-founder
of Canadian Honeynet Project and Open Security
Alliance among others.
29
Contact Information
Bahrain Atlanta
30
Thank You ICAI, Mumbai
Write a Comment
User Comments (0)
About PowerShow.com