Title: Awareness Program on Compliance in the Era of Technology
1Awareness Program on Compliance in the Era of
Technology
- ICAI, Mumbai
- October 19, 2008
u
2Agenda
- Compliance Today
- Business Risks
- Evolving Security and Compliance landscape
- Technology and IT value for business
- Incidents and Security related industry
information - Snapshot of Global Compliance requirements over
time - Extracting Compliance ROI
- Suggested Safeguards (unified framework)
- Common regulatory reqmts (standards, etc)
- The technology solution
- Compliance spotlight PCI-DSS
- Leverage the technology solution
- VA/PT
- Continuous VA and Monitoring
- List of Tools
- Why VA/PT
- Web App Security, Secure Coding
3Compliance Today
- Organizations have numerous Compliance
requirements which keep growing by the day / hour
/ minute ! - Regulatory
- Standards / Best Practice Frameworks
- Industrial, Contractual, etc.
Much of the increase in cost is due to
duplication of regulation and ambiguous or
inconsistent rules -Securities Industry
Association, 2006
- Technology is constantly evolving providing new
tools and methods to tackle the increasing
information and compliance overload
4Compliance Today
- Compliance with Compliance requirements takes up
too much resources - Compliance initiatives are considered Projects
(e.g. SOX / PCI project) but these are
continuous processes (benefits are not realized) - Technology solutions will leverage Compliance
efforts to enable Governance and Risk Management
leading to Business gains (productivity,
cost-savings)
Compliance must be part of your organization
DNA Regulatory Compliance is not just a legal
requirement but a critical business function.
5Business Risks
What is at Risk
- Operational risk
- Physical damage/theft
- Services not available
- Market risk
- Lost customers
- Global partners
- Legal risk
- SLAs
- Lawsuits
- Regulatory
- Compliance
- Financial Risk
- Claims and losses
- Quantification of information assets/impact
- Information on your network
- Databases
- Intellectual Property
- Financial Information
- Personally Identifiable Information
- Reputation Market Value
6(No Transcript)
7Technology and Information Made People Smarter
- Google
- Luhns algorithm (to validate any credit card)
- VB based basic key loggers
- Web based IP tools, DNS network tools, traceroute
etc - Network tools
- Nmap
- Nessus etc. All available online
- Password cracking tools
8(No Transcript)
9Incidents (2000-2007)
- According to Attrition Data Loss Archive and
Database and FlowingData, following are the 10
largest data breaches since 2000
(http//flowingdata.com/2008/03/14/10-largest-data
-breaches-since-2000-millions-affected/)
- Is there a trend? Yes, numbers are growing!
10Are we safe in 2008?
- UK Government Depts. reported loss of 29 million
records in last one year (August 2008) - Countrywide Financial Corp. possible all 2
million records were sold (August 2008) - If sensitive data only includes SSNs and
financial account data and not date of birth and
email ids then should we decide Facebooks 80
million records as a data breach? (July 2008) - Bank of New York Mellon, PA as many as 4.5
million customer records are thought to be
compromised (March 2008) - Compass Bank 1 million (March 2008)
- Hannaford Bros. supermarket chain 4.2 million
(March 2008) - Trend Numbers are still growing!
11Some Facts
- Who are behind these breaches
- External sources including past employees
- Insiders
- Business partners
- Multiple parties
- How these breaches are caused
- Business process errors or no policy/procedural
controls - Hacking and intrusions including malicious code
- System/Application vulnerabilities including for
those patches already exist - Physical threats
- Mostly
- Victims dont know that breach has occurred or
more often aware of the criticality of the
data/information - Mostly breaches are opportunistic in nature
- More than 90 breaches are avoidable
12Some Insights drivers for security spend
By 2008, more than 75 of large and midsize
companies will purchase new compliance
management, monitoring, and automation
solutions. By 2009, compliance will grow to
14.2 of IT budget from 12 in 2006. Source
Gartner 2007
13(No Transcript)
14Common Regulatory Reqmts /Standards / Frameworks
/ Guidelines
- HIPAA/GLBA
- Sarbanes Oxley
- Basel II
- PCAOB
- SAS 70
- Privacy Laws (e.g.PIPEDA)
- many more..
- Clause 49 (SEBI Guideline, Government of India)
- CTCL
- ISO27001 2005
- 133 Control objectives
- PCI-DSS
- 12 requirements
- CobiT
- NERC-CIP
- BS25999
- ITIL
- Data Protection Act
- IT Act and applicable Criminal / Civil
legislation
15Extracting Compliance ROI
- Organizations must plan beyond Compliance
- Better Security means reduced / managed risk
- Managed (reduced) risk means better business
- Operational efficiencies result from compliance
efforts - Approach Compliance as a as a business process,
not as requirement / overhead - Use learning to shorten future compliance cycles
- Identify opportunities to build unified
compliance ecosystem - Lead the organization to Industry certifications
resulting in higher brand value - Eliminate the risk of penalties for
non-compliance - Address multiple compliance requirements in a
unified approach
16Suggested Safeguards
17Suggested Safeguards
18(No Transcript)
19Technology Solution
- Systems must be developed providing a risk based
approach that is aligned with Business,
Regulatory and Contractual requirements - Leverage technology and co-ordinate Security
spend with Compliance with the overall objective
achieve Governance (automation) - Technology practices to enable proactive security
Risk management - Vulnerability Assessment / Penetration Testing
(VA/PT) - Web Application Security (AppSec)
- Code Review
- Continuous Vulnerability Management
- Managed Security Services
20Compliance Spotlight PCI Data Security
Standard
21Compliance Spotlight PCI-DSS
- Requirement 5 and 6 (Maintain Vulnerability
Management Program) - Stay Current on versions (Anti Virus, Patches,
Systems, Configuration) - Monitor Custom Web applications
- SDLC (do we practice secure coding)
- Invest in automated tools
- Secure Audit Logs
- Requirement 10 and 11 (Regularly Monitor Test
Networks) - Monitor Systems for Intrusions and Anomalies
- Implement Reporting and Analysis Tools
- Centralize and Secure Data
- ISO27001 A.15 Compliance
- Compliance with Legal Requirements
- Compliance with Security Policies, and standards
and technical compliance
ISO27001 A.12.6 Technical Vulnerability
Management
22Leverage the Technology Solution
23Leverage the Technology Solution
Results allow the organization to compare
findings against known vulnerabilities and
prioritize remediation by implementing controls.
Provides a health report on the organization
security posture. All Standards, Regulations,
Frameworks recommend (or require) Network
Assessments as an essential practice.
Helps determine whether the controls are in fact
preventing the vulnerability from actually
endangering the network. A well-executed
penetration test can identify the most critical
holes in an organizations defensive net
including the holes exploited by social
engineering. pen tests are best used as a way to
get an extra set of eyes on a network after major
system upgrades.
24Leverage the Technology Solution
Provides a 24 x 7 x 365 watch on network traffic
and is available as a Managed Security Service.
Traffic is monitored and events (incidents) are
correlated against updated industry Common
Vulnerability Exposure (CVE) database.
Reports are available online to client via a
web interface which will provide information
about the threat(s) and remediation plans.
25VA/PT
Undertaken by qualified professionals
Methodology includes use of automated tools
augmented with manual skills Meet regulatory
requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.)
Organizations can realize their true security
level Measure IT security effectiveness
Identify and remediate potential breach points
reducing security risk and liability Benchmark /
baseline security posture Certifications
Certified Vulnerability Assessor (CVA) (Secure
Matrix - DNV) CEH (EC Council) CISSP
(ISC2) certifications in Forensics, Fraud
(Secure Matrix) Commonly used Tools for VA/PT
(commercial / open source) Nessus, GFI Languard
(c), Nmap Metasploit, Canvas (c), etc.
26List of Tools (indicative)
27Why VA/PT
- To catch a thief.. You have to think like one.
- You hack into your network to do a Vulnerability
Assessment (VA), identifying vulnerabilities in
the same manner as they may be visible to an
intruder like open ports. - Following up a VA is the Penetration Test you
are taking advantage of the vulnerabilities by
penetrating the network. - When you test all IP addresses that are visible
to the outside world you can get answers to
sticky questions like - Can an intruder hop on to the conference room
network ? - Is it possible for the intruder to connect to the
database server ? - What can you do (that which no one wants an
intruder to do!) ?? -
28Presented by
Dinesh Bareja CISA, CISM, ITIL, IPR, ERM, BS
7799 (Imp LA) - Senior Vice President Email
dinesh_at_securematrix.in
Information Security professional, having more
than 11 years of experience in technology in
commercial, operational, functional and Project
Management roles on multiple large and small
projects in global and domestic
markets. Experienced in establishing ISMS
(Information Security Management System),
planning and implementation of large scale CobiT
implementation, ISO 27001, Risk Management,
BCP/DR, BIA, Asset Management, Incident Mgt,
Governance and Compliance among others. He is
also member of ISACA, OCEG, iTSMF and co-founder
of Canadian Honeynet Project and Open Security
Alliance among others.
29Contact Information
Bahrain Atlanta
30Thank You ICAI, Mumbai