Security Challenges in Business Defining Information Security Requirements

1
Security Challenges in BusinessDefining
Information Security Requirements

• John Kirby
• Director, Enterprise Protection Strategy
• Enterprise Information Technology
• Electronic Data Systems

2
Overview

• The problem
• Security Losses and Incidents Mount
• Threats We Are Seeing
• Increasing Pressures
• Security and Privacy
• What makes an effective security program?
• The First Step Finding our where you are
• Security Industry and Business must change

3

• The Problem

• Extensive Discussion
• A variety of Point Solutions
• Business responding to the Security Fad of the
  Week
• Not Achieving Acceptable Levels of Protection

4
Security Incidents and Losses Mount

• Security breaches cause more than 1.6 trillion
  in damage worldwide.
• More than 50 of businesses spend 5 or less of
  their IT budget on security (Source
  PricewaterhouseCoopers Information Week)
• In 2001 survey, 85 of organizations surveyed by
  FBI/CSI reported breaches
• Up from 70 in 2000 62 in 1999
• 31 were from insiders 70 from outsiders
• Only 36 reported incidents to law enforcement
• Up from 25 in 2000

5
Threats Were Seeing

• Terrorism/Hactivism
• New and more virulent breeds of worms and viruses
• Intellectual/Corporate property theft and
  extortion
• Use of Corporate Systems as launching pads for
  attacks
• Downstream Liability a secondary threat
• Wireless and mobile computing threat (Mobile
  Hacking)
• Increased focus on data privacy issues,
  especially internationally
• Insiders continue to be the stealth threat
• Number of attacks may be down insider loss is
  greater

6
Increasing Pressures

• The past, defining their own criteria
• Increasing focus by Congress, the states and the
  public on privacy/security legislation
• HIPAA
• GLB
• State enforcement actions
• International issue also
• Safe Harbor, C-6 (Canada) and the EU

7
Security and Privacy

• Security
• The tools and process that insure privacy
• Privacy
• The definition of what personal information needs
  to be protected
• Privacy the new business imperative

8
What makes an effective security program?
Processes
Technology
People
Life-Cycle Methodology
Offerings
Security Privacy Design Implementation
Security Privacy Planning
Security Privacy Assessments
Cyber Security Institute
Ongoing Security Privacy Services
9
The First Step Find out where you are

• A comprehensive security assessment should
• Be standards based (BS 7799/ISO 17799, NSA, etc)
• Cover the spectrum of people, policy, and
  technology
• Encompass relevant legislation and public policy
• Be flexible enough to modify for particular
  situations

10
Goals of the Security Assessment

• Identify Security and Privacy Gaps
• People, processes, technology
• Standards-based Structure
• Procedures
• policies
• staff skills
• disaster recovery planning
• application and network security

11
A Reality of Security

• Substantial progress toward better things can
  rarely be taken without developing new evils
  requiring new remedies
• William Howard Taft

12
eds.comJohn Kirbyjohn.kirby_at_eds.com972-605-36
77